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PC-BSD GALILEO AND GALACTIC TECH SUPPORT 


The people at iXsystems may not do a whole lot in the way of observational astronomy, 
but they do appreciate Galileo’s intrepid work to change the face of science. |n that 
spirit, PC-BSD hopes to change the face of the Operating System world. As Galileo 
reduced complex problems to a simple set of terms on the basis of everyday 
experience and common-sense logic, PC-BSD translates computer processes that 
would be difficult for the casual user into simple, intuitive interfaces. iXsystems also 
offers technical expertise and unparalleled industry support for the FreeBSD and 
PC-BSD platforms, which will make your experience using Galileo out of this world. 


Built on a FreeBSD 7.1 core, PC-BSD Version 7.1 Galileo Edition brings stability, 
security and ease of use to the desktop and the server through its use of the KDE 4.2 
desktop and self-installing software packages, as well as graphical system 
administration tools. PC-BSD Version 7.1 Galileo Edition has hundreds of programs 
available for download on http://www.pbidir.com as well as on the second 

installation disc, covering a wide array of functions, from graphical editing programs to 
office oriented software. Galileo Edition also has full proxy support for PBI and system 
updates, thin client server support, drastically improved nVIDIA performance and 
speed increases, and a new backup and recovery tool. 


Getting PC-BSD up and running is fast and easy, but having expert help on-hand to 
solve your problems can take your computing experience to new heights. From 
optimizing your small office set-up to guidance on large-scale deployments, the 
iXsystems team can ensure you get the most from your PC-BSD and FreeBSD systems. 


Technica. exeenrise 


When you sign on for iXsystems Professional Services you get a team of PC-BSD and FreeBSD 
experts. iXsystems partners with the most advanced developers and long-time contributors 
from the BSD communities to offer custom development and advanced level support and 
consulting services. 


LONQe ROLLOUTS and migrations 


The Professional Services Team provides installation support for large networks. Our technicians 
will work with you to determine your operational needs and set up any number of desktops and 
servers. Our experts can also provide specialized support to your system administrators. 


custom ebi creation and arevicarion instravcvcarion 


PC-BSD uses a graphical utility, Known as PBls (push button installers), to remove and install 
software. These PBls are self-contained and contain their own libraries, eliminating the problem 
of shared dependencies. The experts at iXsystems are well versed in compiling software 
applications into PBls for use on PC-BSD. On the occasion where a program needed to run on 
Galileo is unavailable, the Professional Services Team can develop a push button installer 
application. If needed, these applications can be deployed over multiple desktops by 

our technicians. 


escacarion MANABeMeNT 


iXsystems is the all-around FreeBSD company that builds FreeBSD-certified servers and storage 
solutions, runs the FreeBSD Mall, and is the corporate sponsor of the PC-BSD Project. When the 
iXsystems Service Support Team encounters a confirmed bug, we can escalate the bug to the 
FreeBSD engineering team. We can also work with The FreeBSD Project to create and submit 
patches to the FreeBSD community for possible inclusion in the latest release. 


Be a part of our efforts to change the face of the Operating System world. Contact iAsystems at 
(408)943-4100 or visit our website at http://ixsystems.com/support/professional-bsd-support.html 
and fill out the Inquiry form for more information. We will pair you up with an Account Management 
Service Professional that can assess your needs and create a custom FreeBSD or PC-BSD support 
plan for your organization! 


Editor’s Note 


Dear All, 


It is already the fifth issue of BSD magazine and we all hope there will be another 50..and more! | hope you will like 
the refreshed layout of the magazine — short news and a little reorganization of the content. Hopefully, you will find it 


useful and helpful in your journey to BSD world. 


This issue is devoted to FreeBSD distribution. We did our best to cover the most interesting and useful topics in 
form of a step-by-step tutorials, so that everybody can take the chance do it. 

For beginners we prepared the article describing the process of FreeBSD 71 installation and configuration. In 
the how-to’s section we covered topics like OpenSMTPD, GNOME desktop on FreeBSD, packaging software, Jabber 
server, building wireless router, CPU scaping and much more. 

In security corner you will find articles devoted to LDAP authentication and Snort Intrusion Detection Scanner. For 
those of you, who are interested in multimedia on BSD systems, Donald T. Hayford wrote a great article on building 
an embedded video web server. We also included lots of tips&trick by Dru Lavigne and Mikel King. 

As always, we are waiting for your comments, replies, ideas and suggestions. If you would like to become BSD 
author or betatester, don't hesitate- keep the mails coming in! 


Enjoy! 
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6 Installing FreeBSD 7.1 with Enhanced 
Security (Jails) 
Remko Lodder 
This article will guide people that are new to FreeBSD on 
installing the software and enhancing its security by setting 
up FreeBSD jails that will give service to for example an 
webserver. 


DVD description 
16 DVD Contents 


A description of DVD content — check what we have prepared 
for you in this issue. 


how-to’s 
18 OpenSMTPD 
Gilles Chehade 


In this issue | will shamelessly take the opportunity to write 
about the smtp server that was imported into the OpenBSD 
source tree last November. It isn’t enabled yet, it isn’t even 
linked to the build, but it is doing good progress and this 
article will describe what it currently does. 


24 Getting a GNOME Desktop on FreeBSD 

Jan Stedehouder 
‘Why would you want to install GNOME on FreeBSD? It’s a 
KDE system! This summarizes some remarks | got when 
checking out how to install the GNOME desktop environment 
on a FreeBSD box. 


28 Packaging Software for OpenBSD -— Part 2 
Edd Barrett 

In the last article in this series, we looked at how to package 
a simple piece of open source software for OpenBSD. In 
this article we build on what we learned last time and move 
onto some more advanced features provided by the ports 
system in order to package software with more complex 
needs. 


32 A Jabber Data Transfer Component 

Eric Schnoebelen 
So, you've got your Jabber server up and running, the family 
using it, and you're still in contact with your friends on the 
,walled garden” networks. You're having family meetings in 
using a conference room, and all the family communications 
are secure. What next? 


36 Building a FreeBSD Wireless Router 
Eric Vintimilla 

Why use a FreeBSD machine as a wireless access point? 
Don't most Internet Service Providers give you a free modem/ 
router? While this may be true most of the time, it is not 
always the case. Besides, building your own is easy, and it 
gives a great deal of options for both System Administrators 
and control freaks alike! 


Contents 


40 CPU Scaling on FreeBSD UNIX 

Slawomir Wojciech Wojtczak (vermaden) 
Comparing FreeBSD to other sollutions like Solaris or Linux 
implementations, that directly follow Intel's defined C-states 
and P-states for CPU, FreeBSD goes a bit further by offering 
the end user every possible frequency that the CPU can run 
on, this may sound misleading, but things will be simple afte 


security corner 
44 LDAP Authentication on OpenBSD Boxes 


Nicolas Grenéche 
LDAP (Lightweight Directory Access Protocol) is a massively 
used protocol to store users information. This protocol is 
implemented in OpenLDAP a directory software available on 
every operating system’s package manager. 


48 FreeBSD and Snort Intrusion Detection 
System 
Svetoslav P. Chukov 
What is an intrusion detection system? The Intrusion Detection 
System shortly called IDS is a software and/or hardware 
designed to help you to detect attempts of accessing computer 
systems, mainly through a network, such as the Internet. 


mms 


54 Build An Embedded Video Web Server 
With NetBSD 
Donald T. Hayford 
While its safe to say that the recently developed USB video 
driver was built and tested using only a desktop “i386- 
compatible” machine, the beauty of NetBSD is that the same 
driver will work on any NetBSD-supported hardware. So grab 
your favorite embedded processor and let's try some video. 


tips & tricks 
60 FreeBSD Tips 


Dru Lavigne 
Whether you're new to FreeBSD or have been using it for 
some time, learning a new trick or two can save you time 
and increase your user experience. 


64 Maintaining System Configuration Files 
Using Subversion 
Mikel King 
Recently | was asked about maintaining a data center full of 
servers. More specifically about maintaining a repository of 
the configuration files for all servers in the data center. And 
this is what | am going to show you in this article. 


interview 
66 Q&A about Dtrace 
Federico Biancuzzi 


Federico interviews John Birrell and George Neville-Neil 
about Dtrace — a dynamic tracing system developed by Sun 
Microsystems 
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Installing FreeBSD 7.1 with 
Enhanced Security (Jails) 


Remko Lodder 


This article will guide people that are new to FreeBSD on installing the software and 
enhancing it's security by setting up FreeBSD jails that will give service to for example 


an webserver. 


e will begin by fetching the installation media, 

then using the media to do the installation, we will 

upgrade our system and place the foundation 

for our jails, and finally setup the required 
infrastructure around it. Advanced users that are already 
familiar with how FreeBSD works, might benefit from the Jails 
paragraph which you can find below. 


Obtaining the installation media 

So we decided to give FreeBSD a try, good! But how do 
we get it running? Lets visit the FreeBSD website at hitp: 
//www.freebsd.org/. We will see the index page of the website, 
showing a big yellow Get FreeBSD now button. If we click on this 
we will navigate to a new page, showing the available downloads. 
For example the 71-i386 ISO images are available on:  ftp:// 
fto.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/71/, 
but it might be inefficient to download the files using the main 
FreeBSD FIP server. There are localized FIP Servers probably 
also near you which can be used to get the media. The localized 
FIP Servers are available through f£tp://ftp.<countrycode>.F 
reeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/7.1 which 
in my case would be: ftp://ftp.nl.FreeBSD.org/pub/FreeBSD/ 
releases/i386/ISO-IMAGES/71/. On the FIP Server there is a 
list of downloadable files like: (see Listing 1). Personally | always 
download the disc1.iso file, this file delivers me the standard 
installation and does not require that | have internet-access 
(which is the case for the bootonly ISO). If you download the 
disc1 ISO file you can get a rapid installation, which takes less 
then 15 minutes in my case. 


Preparing the installation media 

We have fetched the required ISO (either CD or DVD, depending 
on your wishes) and need to put it on CD. If you have a bummer 
you mostly get software with it. Given that we do the FreeBSD 


installation for the first time, I'll assume that there is some kind of 
operating system already running on it, which should support the 
burning of ISO files. Within Windows, if the software is correctly 
installed, you can double click on the ISO file after which it will 
burn the contents of the ISO file in a pre-determined format to 
the CD or DVD. Please check whether the CD or is readable 
before restarting the machine. You can do that by inserting the 
CD or DVD and navigating through it's directory structure. 


Starting the installation 

Now that the CD had been burned we can boot from it. 
The installation CD is configured to startup the installation 
application immediatly so no further actions are required to 
get the installer going. 
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Configure 


Copyright 2008 Parallels, Inc. All rights reserved. 
256 MB physical memory installed 


5CSI controller is not installed. 

Network bootrom is installed. 

Trying to boot from Primary Master IDE drive... 
Trying to boot from CD-ROM drive... CD Loader 1.2 


failed. 


Building the boot loader arguments 
Looking up /BOOT/LOADER... Found 
Relocating the loader and the BTX 
Starting the BTX loader 


BTX loader is 1.02 
Consoles: internal video/keyboard 
BIOS CD is cdO 

BIOS drive A: is diskO 

BIOS drive C: is diski 

BIOS 639kB/261056kB available memory 


1.00 BTX version 


FreeBSD/i386 bootstrap loader, Revision 1.1 
(root@logan.cse.buffalo.edu, Thu Jan 1 09:55:10 UTC 2009) 
Loading /boot/defaults/ loader .conf 

‘boot/kernel/kernel text=Ox?7Sf60c 1 


Figure 1. Boot initial 
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Configuring 

during the installation 

The installation CD brings you to the 
installer, which is the heart of the 
installation that we will be doing. The first 
window that we will be seeing is the main 
screen. Here sysinstall (in case you want 
to return to the application sometime 
later) gives you the option to do various 
configurations and select an installation 
type. 

We will start by picking the Standard 
option, which is the most convient for 
new users. The installer will tell us that 
the upcoming screen will help us setting 
up a partition scheme for the disk that 
we will be using. By clicking [OK] we will 
proceed to the next window, sometimes 
this window is an alert that the geometry 
is not the same as being advertised, 
but | never had problems even with this 
warning. 

We click on [OK] again and the fdisk 
screen will popup. Do not be afraid, you 
do not have to understand this part. 
Since we will be installing FreeBSD 
we will use the entire disk (if you are 
not sure whether you want to do that, 
you can always install this in a virtual 
machine, use a seperated disk, or read 
the handbook for detailed instructions 
on how to create multi-boot instances) 
which makes it easy to get going. Press 
the [A] button and a disk layout will be 
automatically created. Navigate to the 
middle line (Which is the entire disk that 
we just created) and Press the [S] button. 
This will mark the partition as active and 
makes sure we can boot from the disk. 

Then the installer will ask us where 
we want to install the boot manager, do 
we want to place it on the partition root, 
or do we want to place it on the MBR 
(which is the super root of the disk). We 
will select the BootMgr and continue to 
the next screen. The installer continues 
by loading the disklabel editor The 
disklabel editor is used to configure the 
partition, it enables you to select what 
space you want to assign where, so 
that you can limit the resources. Since 
we do not want to think much about this, 
we press the [A] button and the space is 
being distributed via a standard scheme 
(a formula is behind that, so that you will 
always get the best possible solution). 
Continue by pressing the [OQ] button. 

So we know how the disk layout is 
going to be, we have made up a scheme 


to see where we are going to put our 
space, but we didn’t select what to install 
yet. Mosily | pick the Minimal installation. 
This is the one that is being done the 
quickest and has maximum. flexibility 
in the future. Of course you are free to 
select the option you prefer instead. 
After selecting the distribution type, 
the installer will ask us from which part 


Installing FreeBSD 7.1 » 


we want to install the distribution. If 
you bummed the CD1 image or the DVD 
image, you can select CD/DVD here, else 
select the network installation (this is not 
covered in this article). The installer will 
dump the contents of the CD on the disk 
layout as we defined it, and will continue 
with question whether we want to setup 
an ethernet or SLIP device. The latter 
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probably doesn’t make sense to you 
but perhaps Ethernet does. Ethernet is 
the standarized cable that most people 
plug in their machines and have internet 
access. Select [YES] to configure the 
Ethernet device. 
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Now that we have selected yes, 
a new window appears with various 
interfaces, select the one that sounds 
like your internet-facing card. This 
sounds a bit vague, but in case you have 
one controller there are only four options, 
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intormation required 


If you are using PPP over a serial device, as opposed to a direct 
ethernet connection, then you may first need to dial your Internet 
service Provider using the ppp utility we provide for that purpose. 
If you’re using SLIP over a serial device then the expectation is 
that you have a HARDWIRED connection. 
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three of them being: PLIP SLIP and PPP 
which are most likely not the ones we 
need to configure here. 

Select the driver that remained, 
and we will be asked to do 
autoconfiguration of the interface by 
using rpve. Since we do not understand 
this we select [NO]. Most networks in 
home environments are setup to use 
automatic configuration using DHCP. 
This is our next option, so we will 
select [YES] here. Now that we have 
selected this, a new window appears 
with advanced information about an 
address that we obtained. 

The window expects us to give a 
name to the machine, select a name that 
you favor and navigate to the OK button 
and continue. The hostname is setup as 
yourname. yourdomainname.extention. My 
machines are all named after elves from 
the Elvandar series so their name is: 


<name of elf>.elvandar.org 


Which makes me able to easily spot 
which machine is which. After doing 
this configuration, we will return to the 
main screen, where we can select Exit 
Installation. This will reboot our machine 
with the fresh installation on it. 


Rebooting the machine 

for the first time 

After the configuration had been 
completed and we exit from the sysinstall 
application, the machine will reboot so 
that it will be prepared for it’s first use. 


Retrieving the latest source 
code tree for FreeBSD 7.1 
So, now that we have installed the default 
installation of FreeBSD and restarted it 
so that all required services are started, 
its time to make sure our system is as 
up to date as possible. While there are 
multiple ways to do this, | will use the 
csup method to retrieve the latest source 
code for the 71-RELEASE branch. We will 
compile this into a new version for our 
machine (including the latest security 
patches) and it will finally form the 
foundation for our Jail Infrastructure. 
Logon to the system and switch user 
tO root. 


6 su - 
Password: 


it 


You are now the root user and you will 
be able to retrieve the source code and 
eventually compile it. Now let us copy the 
template CVSup file, which will be used 
by csup to retrieve our source code. We 
will place the copy in Our root directory. 


# cp /usr/share/examples/cvsup/stable- 


supfile /root/freebsd-71-csup 


After that we need to edit the file so that it 
does what we expect it to do: 


# vi /root/freebsd-71-csup 


A new window will be drawn in which the 
contents of the file will be displayed. We 
need to modify two different variables, 
which can be easily found by searching 
for the text. Scroll down by using the 
arrow keys and place the cursor on the 
CHANGE. THIs part of the text below: 


*detault host=CHANGE THIS.FresksD.org 


Issue cw and type the following: 
cvsup.countrycode where countrycode 
Should be replaced by the country you are 
in. | would type cvsup.nl. After that press [esc] 
and navigate to the line stating the default 
release, which looks like the following: 


*default release=cvs tag=RELENG 7 


Place the cursor on the reLENG 7 part 
and again issue cw and type RELENG 7 1 
and hit [esc]. Issue <quote>:wq</quote> 
after which the file had been saved. We 
now set the server from which we will be 
fetching the sources, and the distribution 
that we have choosen. 7.1-RELEASE in 
our case (including security patches). 
You will return to a root prompt (+) 
where we can update the source code: 


# csup /root/freebsd-71-csup 


If everything had been configured 
correctly this will take a little and will show 
information about files that are being 
added / checked out and things like that. 
After the run had been completed you 
will return to a root (#) prompt. 


Now that we have the source code, we 
can find it under /usr/src. Navigate to it 
by doing: 


# CO. fusr/ sxc 


Now we can. start the upgrade 
procedure. Note that | am expecting 
you to use the ceneric kernel and that 
we do not modify things upfront. You 
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can find more information about the 
procedure here [1], on how to adjust 
your kernel configuration to your 
specific need, note well that you should 
be able to support yourself in case 
you go for this option because only 
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If you are using PPP over a serial device, as opposed to a direct 
ethernet comection, then you may first need to dial your Internet 
service Provider using the ppp utility we provide for that purpose. 
If you're using SLIP over a serial device then the expectation is 
that you have a HARDWIRED connection. 


You can also install over a parallel port using a special “laplink 


cable to another machine running FreeBSD. 


edo 


ovell NE1OOO-2000; SC503G; NEZOOG-compatible PCMCIA 


Parallel Port IP (PLIP) peer connection 
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the ceneriIc kernel is Supported by the 
FreeBSD team. Of course the various 
teams will do their best to get you up to 
speed in case you do have problems, 
and one of them will be the question 
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whether or not the GENERIC kernel 
works or not. 
Assuming we will do a normal run 


# make buildworld && make buildkernel 


on the commandline which will result 


without any modifications, we will issue in a new world and kernel in its holding 


the following: 
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Please 


select one of the options below by using the arrow keys or typing the 


first character of the option name you’re interested in. 
To exit, use [CTAB] to move to Exit. 


option with [SPACE] or LENTER]. 


Invoke an 


Quick start — How to use this menu system 
Begin a quick installation (for experts) 
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Do post-install configuration of FreeBsdD 
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select keyboard type 
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Upgrade an existing system 

Load default install configuration 
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place. If all went well you will have a 
message stating that the kernel build 
was succesfull (it will not tell you that 
the world build was succesfull because 
it scrolled out of view, but by using this 
command, the kernel will only be build 
when the world had been succesfully 
completed). 


<screen>>>> Kernel build for GENERIC 


completed on ~*date''</screen> 


We can now issué make 
and reboot into single user mode. 
After rebooting logon again and again 
navigate to /usr/src! 


installkernel 


# cd /usr/srce 


Start the mergemaster tool in order to 
install the kernel: 


# mergemaster -p 


This will install required support files and 
configuration files that where needed, 
so that the new world will be able to 
succesfully install and start. If this 
completes we can issue the following: 


# make installworld 
followed by: 
# mergemaster -U 


The latest mergemaster command will 
automatically upgrade files that had not 
been user modified. 

When this completes we can reboot 
the machine and everything will start 
working again. 


Using the latest source code 

as a foundation for the Jails 

With the latest sourcecode that we 
have prepared and installed on the 
host system it is possible to finally start 
working on our jails. The idea of jails 
that we will be presenting is heavily 
borrowed from Simon Nielsen’s guide of 
installing FreeBSD Service Jails, which 
is a form of jails that is being used for 
service specific goals, like webservers 
and things like that. Before we can 


do the setup though, it’s important to 
understand a few bits and pieces of the 
upcoming installation. 

The installation for the distribution 
will be done in one so-called master- 
jail. This master jail is the template 
for each and every jail and will be 
accessed read-only. Each jail will get 
itS own space in which it can write to. 
Following Simon’s style we will do a few 
definitions; 


Each jail will be mounted under the 
/home/3 directory. This will be our jail 
root. 

/nome/j/mroot Will be the template 
for all our jails and will be read only 
for us. 

All jails will get a seperated directory 
under /home/3; and will be named 
with something descriptive, like www 
for the webserver. 

Each jail will have a /s directory 
which will be linked to the read-write 
system, this enables us to seperate 
read-write access and protect our 
default binaries and things. You are 
free to make everything as read 
only as possible, but be aware that 
some directory’s like /var and /tmp 
need write access as well to write 
away important state information 
and logging. 

Each jail will have a_ read-write 
system that is based upon /home/3/ 
skel 

Each jailsoace (the read write 
portion of each jail) will be created in 
/home/js 


For the sake of the installation we will 
keep track of these definitions, but of 
course you are free to modify that to 
your needs. In case you do want to use 
a seperated partition or anything, | would 
suggest either /jails Of /usr/local/ 
jails as the name for the directory 
structure. 

The directories to do this are not 
setup automatically, so we need to 
create them upfront: 


# mkdir /home/js /home/j 


Because we already have up to date 
sources, which are already compiled, we 
can easily start the installation. Before 
we can do that we need to create the 
appropriate directores: 
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# mkdir -p /home/j/mroot After that we need to navigate into the 
# cd /usr/srec /nome/j/mroot directory and create the 
# make installworld DESTDIR=/home/}/ skeleton for the ports: 


mroot 
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Adding at least one account for yourself at this stage is suggested 
since working as the “root” user is dangerous (it is easy to do 
things which adversely affect the entire system). 
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FreeBSD comes with a boot selector that allows you to easily 

select between FreeBSD and any other operating systems on your machine 
at boot time. If you have more than one drive and want to boot 

from the second one, the boot selector will also make it possible 

to do so Climitations in the PC BIOS usually prevent this otherwise). 
If you do not want a boot selector, or wish to replace an existing 
one, select “standard”. If you would prefer your Master Boot 

Record to remain untouched then select “None”. 


NOTE: PC-DOS users will almost certainly require “None"'t 


Install the FreeBSD Boot Manager 


Install a standard MBER (no boot manager) 


5 
N Leave the Master Boot Record untouched 


[OW = Cancel 
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# cd /home/j/mroot 
# mkdir usr/ports 
# portsnap -p /home/j/mroot/usr/ports 


fetch extract 


Now create the skeleton for the read- 
write portion of the system 


# mkdir home/j/skel /home/j/skel/home 


/home/j/skel/usr-X11R6 /home/j/skel/ 
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Disk name: dG) 
DISK Geometry: 


Offset size(sT) End Name PType 
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63 67103442 6710554 ad@s1 G 


67103566 6111 67109615 cs 12 


unused 
freebsd 
unused 


following commands are supported Cin upper or lower case): 


Use Entire Disk G 
Delete Slice Z 
Change Type U 


Create Slice 
Set Bootable 
Finish 


set Drive Geometry C 
Toggle Size Units 3 
Undo All Changes Q 


Fi or * to get more help. arrow keys to select. 
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4177 cyuls/’2455 heads/63 sectors = 67103506 sectors (32765MB) 


Flags 
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the Hardware Guide in the Documentation submenu or use the 
(GJeometry command to change it now. 
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geometry ist For IDE, it’s what you were told in the BIOS 
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distfiles 
# mv etc /home/j/skel 
mv usr/local /home/j/skel/usr-local 
mv tmp /home/j/skel 


mv var /home/j/skel 


$+ 0C SHE SHEE 


mv root /home/j/skel 


The mergemaster tool can assist us with 
the installation (and later on updating) 
the configuration files. Since this will 
create additional directories that are 
not needed, we need to remove them 
afterwards. 


# mergemaster -t /home/j/skel/var/ 
tmp/temproot -D /home/j/skel -i 

# cd /home/j/skel 

# rm -R bin boot lib libexec mnt proc 


rescue sbin sys usr dev 


We are almost done, we need to setup 
the read write file system sot hat we have 
a place to store files etc. 


# cd /home/j/mroot 

# mkdir s 

# In -s s/etc etc 

# ln -s s/home home 

# ln -s s/root root 

+ Jtm—-s safs/usr-lodal usr/lodal 

# In -s ../s/usr-X11R6 usr/X11R6 

# In -s ../../s/distfiles usr/ports/ 
distfiles 


# In -s s/tmp tmp 


+ Jn =S e/var var 


Because we have specifically created a 
read-write space in our jail, we need to 
make sure that we can build ports in the 
right directory, add the following to /home/3;/ 
skel/etc/make.conf by doing the following: 


echo "WRKDIRPREFIX?= /s/portbuild" >> 


/home/j/skel/etc/make.conf 


Our basic installation and setup had now 
been done. Lets continue by setting up 
specific jails, the example | am going to 
give only handles setting up a webserver, 
see the FreeBSD Handbook for additional 
examples and more information. 

Assuming everything went fine so far, 
we will setup the basic things needed to 
build a webserver. First, we will handle 
the foundation for it and later we will use 
third party packages that will enable to 
use of the webserver. We will name the 
jail www, which is the appropriate name 
for a webserver. 


Let us create the directories that are 
required for this; 


# mkdir /home/j/www /home/js/www 


command, which will list the active jails. 
In order to do something fancy with the 
jail, you need to get access to it. Since 
we are logged in as root, we can easily 
hop into the jail: 
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# jexec 1 /bin/csh 


This will give you the CSH shell within the 
first jail (You can get the JaillD from the 
41s Command). 


Since we want to use the jails after a 
restart, we will specify them in the /etc/ 
fstab file so that the machine will configure 
the required directories during startup: 
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echo "/home/j/mroot /home/j/www nullfs 
ro. 0 0” >> /etc/tstap 
echo "/home/js/www /home/j/www/s" 


nulifs rw 0 O” >> /etc/tstab 


Message 


The above will only make the directory You now have FreeBSD installed on your system. 


structure available, we of course need to 
start the management foundation for the 
jails as well. We can do that by adding 
the following lines to /etc/rc.conf: 


Congratulations? 


We will now move on to the final configuration questions. 
For any option you do not wish to configure, simply select 
No. 


If you wish to re-enter this utility after the system is up, you 
may do so by typing: /usr/sbin-sysinstall. 


[ Press enter or space ] 


(100%) 


# echo ' 

jail enable="YES" 

jail set hostname _allow="NOo" 

jail list="www" 

jail www _hostname="www.example.org" 
Jail www ip="192.166.0.1" 

jail www _rootdir="/usr/home/j/www" 
jail www devfs enable="YES"' >> /etc/ 


re.conf 
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directory to the jail, before we can do this 
we need to install the sysutils/cpdup |@ OO 


utility: Ty 
et 
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# pkg add -r cpdup 


This will remotely add the cpdup utility as 
hinted by Simon’s guide. 


FreeBSD/i306 7.1-RELEASE — susinstall Main Menu 
Welcome to the FreeBSD installation and configuration tool. Please 
select one of the options below by using the arrow keys or typing the 
first character of the option name you’re interested in. Invoke an 
option with [SPACE] or [CENTER]. To exit, use CTAB] to move to Exit. 


Quick start — How to use this menu syste 


~tandard Begin a standard installation (recommended) 
Xpress Begin a quick installation (for experts) 
Custom Begin a custom installation (for experts) 
onf igure Do post-install configuration of FreeBSD 
Bits Installation instructions, README, etc. 
“eymap Select keyboard type 

‘ptions ViewsSet various installation options 

ixit Repair mode with CDROM‘DUD/f loppy or start shell 
_ pgrade Upgrade an existing system 

Lb Load default install configuration 

index Glossary of functions 


# cpdup /home/j/skel /home/js/www 


The jails are now ready to be started, 
we will need to attach the various 
required directories (which will happen 
automatically at boot): 


# mount -a 


And we need to start the jails 


x Exit Install 


# /etc/rce.d/jail start [ select J 
You should be able to view information 
about the jails that are being started now. 
In case you didn’t see this information, or 
want to review information about what is 
currently running, you can use the j1s 
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get started 


Installing third party 

packages within your jails 

We now have a complete jail running, but 
no services yet. Before we determined 
that we will be running a webserver on 


eoo 
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netal lation 


this. | will give an idea on how to setup a 
webserver, which you can adjust to your 
own specific needs. 

During the Jail installation we 
retrieved a fresh copy of the FreeBSD 
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FreeBSD can be installed from a variety of different installation 


media, ranging from floppies to an Internet FTP server. 


If you're 


installing FreeBSD from a supported CD/DUD drive then this is generally 
the best media to use if you have no overriding reason for using other 


media. 
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As a convenience, we provide several “canned” distribution sets. 
These select what we consider to be the most reasonable defaults for the 


type of system in question. 


list of distributions yourself, simply select “Custom”. 


If you would prefer to pick and choose the 


You can also 


pick a canned distribution set and then fine-tune it with the Custom item. 


Choose an item by pressing [SPACE] or CENTER]. 
Exit item or move to the OK button with 
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> Developer 
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Full sources, 
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Ports Collection, by using the portsnap 
utility. This enables us to easily install a 
webserver. There are various webservers, 
but the one commonly used by people is 
the Apache webserver. It's also the best 
known webserver (in my understanding) 
and has lots of documentation available 
online at http://httpd.apache.org. 

The FreeBSD Ports Collection has 
various copies of the Apache webserver, 
with various tastes. We will install version 
2.2 Of the webserver and use default 
installation options to get it going. 
Remember, we are still in the jail. 

Navigate to the Apache Ports 
directory: 


# cd /usr/ports/www/apache22 


To compile and install it use the 


following: 
# make install 


If this is your first time, a popup might 
show a new window in which you 
can select certain options that you 
want to have enabled on your apache 
installation. We do not care about this, 
sO we navigate to [OK] and continue 
the build. After a while the installation 
completes, and the webserver had been 
installed. To start the webserver first add 
the following line to /etc/rc.conf. 


7 €Cho “apache2? enablé="YES"" >> 


fete/xe.cont 
Followed by the start command: 
# /usr/local/etc/rce.d/apache22 start 


The webserver will now be started. Start 
a browser and navigate to the IP you 
used to setup the jail, if all went well you 
will see a page that mentions : "It works!”. 
Additional configuration is left to the 
reader as an excercise. 

Personally | have setup an hosting 
webserver, mailserver, internal mailserver, 
spamfilter + rol server, playgroundserver 
by using the same approach. Each and 
every jail is seperated by eachother, and 
cannot break out of their scope. Though 
the current design is limited by having 
available only a single IP for each jail, it 
will change in the future and make the 
FreeBSD Jails an even more robust form 
of enhancing your FreeBSD box’ security. 


First of all, FreeBSD jails will be able to 
use multiple IP’s, both IPv4 and IPv6, as 
well as I|P-less jails. This enhancement 
makes it easier for webservers for 
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virtualhosting. 


After following this article you should be 
able to install the FreeBSD 71 system 
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Parallels main screen. 


and setting up FreeBSD jails to do 
service specific tasks. Furthermore, you 
know what the upcoming version has to 
offer in comparison with FreeBSD jails. 


| talked a lot about the FreeBSD Handbook, 
and actually loads of the content of this 
article found it’s history in the handbook. 
The handbook is one of the best available 
documents for an opensource Operating 
System and covers basic things like the 
installation, Unix Basics and advanced 
things like Advanced Networking. | 
think its advisable for everyone to have 
a peek at the handbook to get more 
information about what we did and 
how to get further with your machine: 
http://www.freebsd.org/doc/en/books/ 
handbook/ Or if you rather read a 
localized version, some people (including 
me and a lot of other people from the 
Netherlands) create these versions for 
you. If it exists you can find it on: 
http://www.freebsd.org/doc/ 
<langcode>/books/handbook/ 
So for Dutch that would mean: 
http://www.freebsd.org/doc/nl/ 
books/handbook/ 
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The FreeBSD Release Engineering Team 
is pleased to announce the availability of 
FreeBSD 7.1-RELEASE. This is the second 
release from the 7-STABLE branch which 
improves on the functionality of FreeBSD 
ZO and introduces some new features. 
Some of the highlights: 


The ULE scheduler is now the 
default in GENERIC kernels for 
amd64 and i386 architectures. The 
ULE scheduler significantly improves 
performance on multicore systems 
for many workloads. 

Support for using DTrace inside 
the kernel has been’ imported 


from OpenSolaris. Dlrace is a 
comprehensive dynamic _ tracing 
framework. 


A new and much-improved NFS 
Lock Manager (NLM) client. 

Boot loader changes allow, among 
other things, booting from USB 
devices and booting from GPI- 
labeled devices. 

The cpuset(2) system call and 
cpuset(1) command have been 
added, providing an API for thread to 
CPU binding and CPU resource 
grouping and assignment. 

KDE updated to 3.5.10, GNOME 
updated to 2.22.3. 

DVD-sized media for the amd64 and 
i386 architectures 


For a complete list of new features and 


known problems, please see the online - 


release notes and errata list, available at: 


http://www.FreeBSD.org/releases/ 
71R/relnotes.htm! 
http://www.FreeBSD.org/releases/ 
71R/errata.html 


For more information about FreeBSD 
release engineering activities, please 
see: http://www.FreeBSD.org/releng/ 


Availability 

FreeBSD 71-RELEASE is now available 
for the amd64, i386, ia64, pc98, powerpc, 
and sparc64 architectures. 

For instructions on __ installing 
FreeBSD, please see Chapter 2 of 
The FreeBSD Handbook. It provides a 
complete installation walk-through for 


users new to FreeBSD, and can be found 
Online at: http://www.FreeBSD.org/doc/ 
en_US.|ISO8859-1/books/handbook/ 
install.hAtml 


Updating Existing Systems 
NOTE: If updating from a 70 or earlier 
system due to a change in the Vendor's 
drivers certain Intel NICs will now 
come up dS igb(4) instead of em(4). 
We normally try to avoid changes like 
that in stable branches but the vendor 
felt it necessary in order to support the 
new adapters. See the UPDATING entry 
dated 20080811 for details. There are 
only 3 PCI ID’s that should have their 
name changed from em(4) tO igb(4): 
0x10A78086, 0x10A98086, GNd 0x10D68086. 
You should be able to determine if your 
card will change names by running 
the command pciconf -1, and for the 
line representing your NIC (should be 
named em on older systems, @.g. emo or 
em1, etc) check the fourth column. If that 
SOYS chip=0x10a78086 (or one of the other 
two IDs given above) you will have the 
adapters name change. 


Updates from Source 

The procedure for doing a source 
code based update is described in the 
FreeBSD Handbook: 


http://www.freebsd.org/doc/en_ 
US.ISO8859-1/books/handbook/ 
synching.html 
http://www.freebsd.org/doc/en_ 
US.ISO8859-1/books/handbook/ 
makewonld.htm! 


The branch tag to use for updating the 
source is RELENG_7_1. 


FreeBSD Update 


The freebsd-update(8) utility supports 
binary upgrades of i886 and amd64 
systems running’ earlier FreeBSD 
releases. Systems running 70-RELEASE, 
71-BETA, 71-BETA2, 71-RC1, or 71-RC2 
can upgrade as follows: 


# freebsd-update upgrade -r 7.1- 
RELEASE 


During this process, FreeBSD Update 
may ask the user to help by merging 
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some configuration files or by confirming 
that the automatically performed merging 
was done correctly. 


# freebsd-update install 


The system must be rebooted with the 
newly installed kernel before continuing. 


# shutdown -r now 


After rebooting, freebsd-update needs to 
be run again to install the new userland 
components, and the system needs to 
be rebooted again: 


# freebsd-update install 


# shutdown -r now 


Users of Intel network interfaces which 
are changing their name from em to 
igb Should make necessary changes 
to configuration files BEFORE running 
freebsd-update, since otherwise the 
network interface will not be configured 
appropriately after rebooting for the first 
time. 

Users of earlier FreeBSD releases 
(FreeBSD 6.x) can also use freebsa- 
update to upgrade to FreeBSD 71, but 
will be prompted to rebuild all third-party 
applications (eg., anything installed 
from the ports tree) after the second 
invocation of *freebsd-update install’, 
in order to handle differences in the 
system libraries between FreeBSD 6.x 
and FreeBSD 7x. 

For more information, see: http:// 
www.daemonology.net/blog/200 7-11- 11- 
freebsd-major-version-upgrade.html 


Support 

The FreeBSD Security Team currently 

plans to support FreeBSD 71 until 

January 31st 2011. For more information 

on the Security Team and their support of 

the various FreeBSD branches see: 
http://wwwreebsd.org/security/ 


Trademark 
FreeBSD is a registered trademark of 
The FreeBSD Foundation. 


If the DVD content cannot be accessed and the disc is not damaged, try to 
run it on at least two DVD-ROMs. 


If you have encountered any problems with the DVD, please write to: cd@software.com.pl 
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OpenSMTPD 


In this issue | will take the opportunity to write about the SMTP server that was 
imported into the OpenBSD source tree. It isn't enabled yet-it isn't even linked to the 
build, but it is in progress and this article will describe what it currently does. 


hen SMTPd was imported, several people asked 

why we needed a new project and why we did 

not import their favorite mta (mail transfer agent) 

application. There’s actually more than just one 

reason. Currently, OpenBSD ships with the well-known and 

rather unpopular Sendmail, which has a very bad reputation 

because of its past history of security issues, but | will get to 

that soon. Long story short, many of us want to replace it with 

another mta application, so let's see what the alternatives are. 

lf | look at my mail headers for the last few months, 

Sendmail, Postfix, Exim, and OQmail account for most of the 

traffic. Exchange is not going to be useful, so | guess we can 
Skip it. 

This leaves us with Postfix, Qmail, and Exim. 

Exim is licensed under the GPL, so we'll not be considering 
ithere: OpenBSD no longer imports GPL licensed code into the 
base, thus it isn’t a possible alternative. | don’t know what Exim 
is worth; | can’t honestly say | ever even ran it. 

Postfix is licensed under the IPL (IBM Public License), so it’s 
also a non-option: as this cannot go in either, the IPL contains 
a clause which goes against the very goals of the OpenBSD 
project. 

At the time of this writing, Qmail is supposedly released to 
the Public Domain, so it is a viable alternative from the license 
point of view. Unfortunately, the developers do not agree that it 
is a better choice than Sendmail and the fact is that this point 
is clearly highly debatable. For every Qmail fan | find, | can find 
someone who strongly opposes it. Not even to mention that 
the author has been hard to deal with in the past and even if 
Qmail is public domain, it is still likely that we would have to 
work with the author at some point. 

Sendmail turns out to be the best choice out of these. It 
has a license which doesn't go against our goals, it is mature 
and works great, and it isn’t going to get your server hacked. 


Sendmail is used by the largest corporations, with the most 
complex setups, and it is actively followed and fixed as issues 
arise. 

By now you should be asking yourself well if Sendmail is so 
nice, why change to something else ?. 

| recently had to make changes to a setup that had been 
running for months. | assumed | would deal with it in a few 
seconds because | knew what | wanted to do and it was a 
trivial task. | ended up spending another half an hour jumping 
from a book to a search engine, and spending half an hour 
testing the new setup just to make sure | did not break anything 
with my two-line change. 

As an OpenBSD user, | am used to getting things working 
by reading manuals and comments in sample configuration 
files provided with the system. Sendmail doesn’t work that way: 
if you try a setup with no book and no internet access then you 
are very likely to fail if you are not very experienced with it. 

This is why some developers, including myself, think we 
need to provide a new SMIP_ server that is developed with 
OpenBSD’s goals of security and simplicity in mind. 


Design and processes description 

OpenSMITPD follows the same design as various recent 
daemons in OpenBSD. It is a multi-process application 
which uses the imsg framework to let processes do IPC, 
while making use of several techniques to mitigate risks. The 
daemon has a fully asynchronous design and, in theory, does 
not block on IO. In practice we lack an asynchronous DNS 
resolver (for now) and as a result we have all of our resolutions 
serialized and blocking. 

Except for one process, used for privilege separation, all 
processes run with no privileges at all and are chrooted to 
either /var/empty or the mail queue. The processes that need 
to open files outside of their chroot jails will rely on imsg to 
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do fd passing from a process which can 
access these files. 

OpenSMITPD has several processes 
which looks a bit scary at first look (See 
Listing 1). 

They all have very specific tasks 
and while we attempted to reduce the 
number of processes, it always turned 
out to be a bad idea from either a 
security or performances point of view. 
It doesn’t seem over-engineered either; 
other mta applications have about the 
same dispatch of tasks. 

Let’s review what they do: 

The two most exposed processes 
are (1) the SMTP server that handles 
SMTP sessions from untrusted clients 
over the network and (2) the control 
process which handles the enqueuing 
from system users. They do essentially 
the same job, turning a set of recipients 
into a structure that processes can play 
with, however one does it by parsing a 
command line, while the other does it by 
parsing a session it has received over the 
network. As the ps output above shows, 
both processes run OS user _ smtpd, but 
they are also chrooted to /var/empty. 

Each time an envelope is created, 
it is sent to the mail filter agent that 
is in charge of checking the rule set 
and deciding if a recipient is rejected 
or not. It acts as a firewall to the other 
processes, rejecting envelopes that 
we do not want to process at an early 
stage. Later, this is where we will get our 
mail filters plugged. The process runs as 
user _smMTPd and chrooted to the /var/ 
empty directory. Envelopes which aren't 
rejected are handed over to the lookup 
agent. They are expanded and resolved 
into a recipient usable by the queue 
process. Expansion is done iteratively so 
that aliases to aliases to accounts that 
have forwards that contain aliases work 
correctly, but with a hard limit to detect 
loops in case some users play with self 
referencing forwards. The lookup agent 
is also in charge of doing all kind of 
lookups other processes need, such 
as looking up a group of MX records 
or resolving a hostname. The process 
also runs unprivileged GS user _smTPad, 
but unlike other processes it can’t run 
chrooted, aS we want it to access 
various resources such as the aliases 
database, resolv.conf, and the passwd 
database /etc/pwd.db, amongst other 
things. 


The queue process is in charge 
of recording envelopes to a_ disk 
based queue. It was initially also in 
charge of scheduling deliveries and 
updating envelopes, but this proved 
to be the wrong idea as it made the 
code considerably trickier. The fact is, 
this process is queried by most of the 
other processes and we do not want 
it to perform any _ time-consuming 
operations, as it could ultimately stop 
handling imsg from other processes and 
cause sessions to timeout. Thus it runs 
unprivileged, and chrooted to the mail 
queue root. 

The runner process was introduced 
as a solution to prevent queue process 
from ever being too busy to handle 
incoming imsg. The runner process 
walks through the queue, detects if 
envelopes are expired or if they can be 
scheduled. When it finds envelopes that 
are for an identical sessions and which 
should be sent to the same remote 
MX, it merges them into a batch. This 
allows SMTPd to do a delivery to multiple 
recipients in a single remote SMIP 
session. Unprivileged and chrooted to 
the mail queue root. 

The mail transfert agent is an SMTP 
client which establishes an SMTP 
session with a remote MX and hands 
it over One or more envelopes. Process 
then keeps track of delivery status for 
each envelope and notifies queue so 
that a decision is made to try remove 
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envelope from queue, generate a mailer 
daemon, or try the same delivery later. 
It runs unprivileged and chrooted to 
/var/empty. 

The mail delivery agent is a very 
simple process which takes_ care 
of delivery by simply writing to a file 
descriptor. The file descriptor points to an 
mbox, a Maildir, or to a pipe we have to 
another external mail delivery application, 
such as procmail for example. Process 
runs with no privileges and is chrooted 
tO /var/empty. 

Finally, the parent process is in 
charge of starting SMTPd and doing all 
kind of privileged tasks on behalf of other 
processes. It opens an mbox, Maildir, or 
even d pipe to a process it just created 
to start an external delivery agent. It is 
currently used for authentication too as 
we need privileges to read the secure 
passwd database. 


Programs 

OpenSMTPD_~ ships with SMITPd, 
the SMTP server daemon, but also 
with a small set of tools to help the 
administrator in his daily tasks.There 
are currently two tools: 


* makemap 


~ pMTPercl 


The makemap utility is used to generate 
mappings of key/values which are used 
for various purposes inside SMITPd. The 


Listing 1. Processes list 
mxl.poclp.erg:gilles {109} ps auxwww 
LOCE 23533-, O20. 0.21020 1948 
parent (smtpd) 

UsmEepe SOL “OO AO 984 1508 
mail delivery agent (smtpd) 

_ smtpd U2218 2 020" SO0n2- WieS > 1583 
lookup agent (smtpd) 

_ smtpd TES cee TO Os gO el 984 1424 
mail filter agent (smtpd) 

_ smtpd 1055470205 5-0 ..2> S056" L596 
queue handler (smtpd) 

Vsmepa 23390" sO 022 964° 2032 
mail transfer agent (smtpd) 

_ smtpd ZI042 0.0 0.2 1224 2464 
smtp server (smtpd) 

_ smtpd 2A 56: 050 fOr, LOZO. GbseA 
Cenkerol process (smtpd) 

_ smtpd S724 0G, 0,2 “1068 =be04 
runner (smtpd) 


| grep smtp 

joe) lla Te Take fel O300-02 smtpd: 
Oe Jon Gia al 0300:14 smtpd: 
2 ela; oe Sake aul O300303 smtpd: 
[Sa he aa, eal O77 002 13 smiepd: 
joe 9 hae ee Sas el O300, 05 smtpd: 
Oe) Jon waa, aN Os002 13 smtpd: 
OZ) cod Ue aga eA OA002 Gy smeupde 
2 ela: TP aa lal 020000 “smtpd: 
2 -o: Die Wats tel O30 742 smepd: 


www.bsdmag.org 


19 


@ how-to's 


20 


‘newaliases’ command is a hard link to 
the makemap utility which operates in a 
mode able to check correctness of the 
aliases database. At the time of this writing, 
makemap is also used to handle the virtual 
users database, but a small redesign of 
the makemap utility is in the works to let us 
use maps for various other features. 

The SMITPctl utility is used to control 
and interact with the SMTP daemon. The 
utility currently allows the following: 


Pausing and resuming processes 
The administrator can temporarily 
stop local deliveries, remote 
deliveries, or incoming’ sessions. 
They can be paused and resumed 
independentely so that it is possible 
to stop relaying outgoing messages 
while still accepting the incoming 
sessions 

Live statistics display 

The administrator can request 
the display of various’ runtime 
counters which can be useful for 
troubleshooting and _ understanding 
how the server is being used. Statistics 
look as follows (see Listing 2). 


The administrator can also request the 
display of queue-related information 
such as a list of messages currently in 
queue or currently scheduled. There is 
still work being done on this area, but the 
output is not likely to go through heavy 
changes (see Listing 3). 


Listing 2. smtpctl statistics 

» Sudo Smtperl show Stakslqrep * 
smtp.sessions = 4732 
smtp.sessions.aborted = 13 
smtp.sessions.active = 24 
smtp.sessions.ssmtp = 5 
smtp.sessions.ssmtp.active = 0 


SMED. sessions .sterrels: = 3231 


smtp.sessions 


- Queue display 


Listing 3. smtpctl queue inspection 


bsd cord | l23 35866419 |0 


bsd ord l233e006 70 | 0 


OuUM VOC Jord | kos 5366 7 13 (0 


SMEp. 


~Starccls.active = 11 


6 sudo smtpctl show queue | grep gilles@openbsd.org 
MTA |1233868410.kCcGFQo0OEKUgG30259.3081509717|gilles@poolp.org|gilles@open 


MTA) 1233668631  CoBppZEPZPE 0552 .32573212294 |giullestooolp.org|gqillestopen 


MDA |1233868707.XNWYsjRDKbDM15852.3848182339|gilles@poolp.org|gilles@graz 


The fields being: delivery method, 
unique id, sender, recipient, timestamp, 
and the number of times we attempt 
delivery for this message. Each time the 
messages are scheduled for delivery and 
an attempt is made, the timestamp gets 
updated so we have a precise idea of 
when the last time we dealt with it was. 

The runqueue, which can_ be 
inspected with "show runqueue’” contains 
only the messages which have been 
marked ready for delivery and will be 
processed. A "show runqueue” output 
looks identical to "show queue’. 


Enqueuer 

SMTPctl can operate in a mode where 
it emulates sendmail in reading a 
message from its standart input and 
registering it to the queue, without 
establishing a network connection to the 
server. In this mode, mail user agents 
like the ‘mail’ utility, or “mutt from ports, 
can transparently rely on SMTPctl via the 
mailerconf(5) mechanism. 

Other tools may appear too but so far 
all of our basic needs are covered with 
these two utilities and the various hard 
links to them. 


Configuration 

From the beginning, we decided to 
provide a very simple configuration which 
even a new user could understand upon 
his or her first read. OpenSMTPD does 
not roll a custom configuration parser, 
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but uses a pf-like syntax to describe 
what is to be accepted and what is to be 
rejected. Describing the configuration file 
would consist of reading the man page, 
so | will simply walk you through the 
various steps of an imaginary setup. This 
is how | like to get familiar with tools and 
will allow us to see the different kind of 
setups that can already be achieved. 


Overview of sample 
configuration file 

If we remove aliases, for the sake of 
simplicity, the default config file has the 
following rules: 


listen on 100 
accept for domain "localhost" 
deliver to mbox "/var/mail/%u" 


accept for all relay 


This means that SMTPd will listen on 
the loopback interface, accept mails 
for users of the “localhost” domain, and 
accept local users to relay mail. listen 
could take an address instead of an 
interface name and a port if we did not 
want to use the default one: 


listen on 127.0.0.1 port 2526 


Providing the interface name will listen 
on all INET and INET6 addresses that 
this interface knows about. 

The configuration above is_ barely 
usable, it will simply allow local users to 
relay mail wherever they want, and will 
only accept mails for recipients that are 
local. 

What if we wanted to do something 
simple like allowing all of our local 
users to send mail anywhere, and also 
accepting mail from the outside from the 
domain ’grazou.poolp.org’ ? 


Accepting mail for other 
destinations than localhost 

Assuming that my interface is bgeQ, 
the configuration file could be changed a 
bit to also listen on bge0: 


listen on 100 

listen on bgeO 

accept for domain "localhost" 
deliver to mbox "/var/mail/%u" 

accept from all for domain 
"grazou.poolp.org"” deliver to mbox 
"/var/mail/%Su" 


accept for all relay 


At this point, SMTPd listens on both 
lo0 and bgeO for connections. You 
may be scared by the "accept for all 
relay” rule as you'd assume it to apply 
to bgeO and cause SMITPd to become 
an open relay, but SMTPd has sane 
defaults and assumes an implicit 
"from localhost” rule if there aren't 
any allowed sources specified. This 
is why we need to "accept from all” in 
our second rule: if we didn’t specify it 
then sessions on bgeO would assume 
relaying is denied. With that in mind, 
NEVER EVER EVER "accept from all for 
all relay”. 

The second rule here allows anyone 
to send mail to choupette@ grazou.poolp 
.org from any address on any interface, 
and tells SMTPd that it has to deliver the 
message tO /var/mail/%u, where su is 
expanded to the system user the mail 
has had its envelope resolved to. 

The “all” part in "from all’ is a keyword 
that is more explicit than having a 
netmask, but it is almost (we'll see later 
why) equivalent to : 


accept from 0.0.0.0/0 for domain 
"grazou.poolp.org" deliver to mbox 
"/var/mail/%u" 


Listing 4. Anew makemap utility 


S makemap 


usage: makemap |[-t type] |[-o dbfile| 


Listing 5. Sendmail-compatible newaliases utility 


Su Sy brelS! 
newaliases 
Vesey jaliases: 48 aliases 


Listing 6. Enqueuer 
S ./send- gilles@poolp.org 
Subject: foobar 

iis is a kes: 

218) 
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Obviously this means you can use any 
netmask or address in place of "all’, so if 
| wanted to allow only my local network 
to use this SMTPd as the final node to 
cvs.poolp.org, | could use the following 
rule: 


accept from 192.168.0.0/16 for 
domain "cvs.poolp.org" deliver to mbox 


“yar / mea / Su" 


The ’relay” rule that we’ve seen earlier tells 
SMITPd that it has to relay the message 
to another MX host. This is done using a 
DNS MX records lookup, which SMTPd 
will use to find which nodes it should try 
to send the message to. This is how the 
SMITP protocol works, not a specificity of 
OpenSMITPD. 

Sometimes, however, you want to 
bypass the MX lookup and force a route 
to the next node. For example to have 
your laptop always use your gateway 
instead of trying to deliver mail itself. 

This is done very easily through a 
"route via” rule: 


accept for all relay via 


"ow. poolp.org™ 


Listing 7. Enqueuer used through the mailer.conf mechanism 


© Cat /ete/marler. cont | grep 


send- 
send- /usr/libexec/smtpd/send- 
$ gilles 


Subject: test 
ee Sie 


www.bsdmag.org 


Visit our 
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When a ’relay via” directive is declared, 
SMTPd will only attempt to deliver to 
the target host, bypassing MX records 
lookup. At the moment we limit this to 
one destination, but work will be done to 
extend this support. 

It may seem obvious, but just in case, 
the gw.poolp.org needs to be aware of 
this and should have a rule to accept 
relaying from the internal network: 


accept from 192.168.0.0/16 
for all relay 


Adding |IPv6 support 
to our mail server 
If you look at our examples so far, none 
use an explicit address. We have no 
“listen” directive or “from” rules with 
an address or a netmask. This is for 
a simple reason: IPv6 works out of the 
box. Wherever you can put an address, 
a netmask, or an interface, you can 
stick an IPv6 address or netmask. We 
did not provide any address so SMTPd 
assumes we want to support inet AND 
inet6. 

[Pv6 support works in both incoming 
and outgoing ways, and is even given the 
preference when it is applicable. 


Adding SSL/TLS 

support to our mail server 
OpenSMITPD knows of two ways to deal 
with SSL sessions: SSMTP which is just 
a regular SMIP session over SSL on 
a dedicated port; and starttls which is 
the same SMIP session over SSL but 
negotiated through an ESMITP extension 
after a regular SMTP session has been 
initiated. 

| will not go through the details of 
creating certificates as there is a man 
page already for this. | could challenge 
you to read OpenSSL documentations, 
however you'd surely fall into depression, 
so I'll encourage you to read starttls(8) on 
OpenBSD’s man pages instead. 

When SMIPd_ starts, it sets up 
its listening interfaces and looks for 
matching certificates in /etc/mail/certs. If 
it finds one, then it assumes that there is 
SSL support on that interface and starts 
advertising STARTTLS when the client 
sends EHLO. 

Setting up SSMIP is just a tiny bit 
trickier: 


SSMTP listen on bgeO 


Voila! Prepending *sSMITP” to a listen 
statement will tell SMTPd that we will use 
SSMITP instead of STARTTLS. 

At this point we can already ensure 
that incoming sessions are handled 
via a secure channel; however, we 
also need SSL for outgoing mails. The 
"relay via” rule we saw earlier can be 
instructed to use SSL when it has to 
relay messages: 


accept for all relay via sSMTP 
"“Gw.poolp.org" 

accept for all relay via tls 
"“gw.poolp: org" 

accept for all relay via SSL 


"Ow. POolp. org" 


The first rule will only accept relaying 
if it can establish a sSMITP session 
to the remote host. The second will 
only accept relaying if it can establish 
a regular session and remote host 
supports STARTTLS. The third only cares 
if we establish a secure session, through 
SSMITP or starttls, whichever works. A 
message will never be relayed through 
an insecure channel if we declare that 
relaying has to go through sSMTP. 


Authenticating users 
This is still experimental code but it does 
work to some extent and | am the main 
user of it so far. 

A listening interface can be told that 
it Supports authentication using this very 
simple rule: 


listen on bgeO enable auth 


When "enable auth” is declared, SMTPd 
advertises autx on that interface. The 
Support is currently limited to auvutu 
PLAIN GNd autH tocrin, SO SMIPd will 
not advertise autx unless the interface 
has support for SSL and the client 
could initiate a secure session (zx1L0 in 
SSMTPm or ExxOo after a staRTTLS). 

Authentication currently uses the 
bsd_auth(3) API which allows us to use 
any backend for which we have a login 
script written. Well, this is at least true in 
theory, but | have only tried using system 
authentication, and a custom  sdlite- 
based login script | wrote. 

At the moment, SMTPd assumes that 
an authenticated user has rights to relay, 
which may need to be changed in the 
future. Outgoing authentication is in my 
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todo list and ranks at a high position, but 
isn't yet supported. 


Current state 

OpenSMITPD is NOT production ready 
and will still need a lot of work before | 
can honestly say "you can run it safely’. 
| have been running it for months, as 
my primary MX backed up by sendmail 
as secondary MX, and | believe it can 
reach a usable state for non-critical 
service in a very short timeframe, but 
it still lacks essential features like a 
flawless mailer daemons support for 
instance, and something only time can 
grant us: maturity. Many features are 
planned, like a milterlike interface, and 
the use of some persistent external MDA 
applications for servers that store mail in 
some db or have them pass through a 
dedup utility and cannot afford to fork for 
each delivery. 

However almost all of the very basic 
features are here, including some which 
| did not discuss in this article because 
they are being changed as | write: 
aliases and virtual users support, use of 
maps to enable outgoing auth, etc. 

Configuration will still evolve and it 
is likely that the examples are going to 
change in the near future, but this was just 
an overview. Changes will be documented 
to the man pages and things will work out 
of the box when we have a stable code 
that is linked to the build. 

We are confident OpenSMIP can 
and will fill the needs of most people and 
the most complex setups will still be able 
to run sendmail, qmail, or exim, if we do 
not support the features they need. Unlike 
what some people tend to think, having 
choice and alternatives is a good thing. 
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SHORT NEWS 


MIDNIGHTBSD 


MidnightBSD is a desktop operating system for 
i886 and AMD64 PCs. It is based on FreeBSD, but 
contains a heavily modified ports system named 
mports. The next release, scheduled for late 2009, 
will feature a new package 


management system, 
OS installer Live CD, and 
support for ZFS. 


MidnightBSD 0.3 will be 
the first release centered 
on usability improvements. 
User feedback suggests that the most common 
problems with BSD on the desktop are installation 
of the OS, software installation, and support 
for hardware. We hope to improve the user 
experience in these areas as well as provide better 
documentation. 

Chris Reinhardt is working on new tools 
to manage software installation. mport is a 


PC-BSD 7.1 GALILEO EDITION 
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The latest version of PC-BSD, 7.1 Galileo Edition, 
was recently released. With faster speeds, better 
visuals, and more stability, Galileo provides a stellar 
update for current PC-BSD users. Newcomers to 
the OS will love the ease of installation that PC- 
BSD’s Push Button Installer (PBI) offers. With KDE’s 
beautifully practical window management tools, 
and a high level of user-friendliness, Galileo makes 
it easy to dive into the open source world. 

PC-BSD 71 is built uoon the FreeBSD 71-Stable 
Operating system. The Galileo edition includes 
updated versions of KDE (4.2) and Xorg (7.4). New 
KDE window effects, screen savers, and better 3D 
Acceleration make Galileo a visually stunning, yet 
highly functional, introduction to PC-BSD. The latest 
version of the Push Button Installer implements 
PBI Schema 2, which largely improves PBI self- 
containment to increase reliability. Users may now 
install FreeBSD Ports without touching the desktop 
by installing PC-BSD into /PCBSD/local. 

If you’re looking for the Add / Remove Programs 
tool, give up. Its not there. Coincidentally, the 
Update Manager has vanished along with it. Both 
have been combined under Software & Updates 
with Galileo. The Updater Tray has been modified 
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command line utility to install, remove, and 
manage software packages from the console. It 
is based on a new library, libmport; this library will 
facilitate development of additional tools such as 
a graphical version by Caryn 
Holt, and integration with the 

new ine installer. 
installer, 


Bealeaton. It is currently 

under development and will 

feature a Live CD environment to test the system 

prior to installation. In addition to minstall, Lucas 

Holt has been bringing in useful functionality from 
FreeBSD and DragonFly. 

The mports system has grown to 2,400 ports; 
it is tested periodically with the cluster donated by 
Eastern Michigan University’s computer science 
department. 


as well. It is now merely a tray applet which shows 
users when updates are available. This is far less 
taxing on the CPU than its previous functions. 

The Galileo edition provides fixes to bugs in the 
Wi-Fi and Networking tools. It also includes fixes 
to some previous Linux Emulation problems. The 
Stability of Flash 
9 has been 
greatly improved 
as well. PC-BSD’s 
System Installer 
has been 
enhanced and 
improved, now 
with upgrade 
functionality, for 
those who wish 
to install PC-BSD 
without wiping the 
disk and losing 
user data. With 
these and future 
updates, the 
reasons to use 
PC-BSD continue 
to increase for 
new and veteran 
users alike. 

For more information, or to download PC-BSD 
71 Galileo Edition, visit htto://www.pcbsd.org. 
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PERFECT FOR THE SERVER AND THE DESKTOP 


how-to’s 


Getting a GNOME 
Desktop on FreeBSD 


Jan Stedehouder 


Why would you want to install GNOME on FreeBSD? It's a KDE system! This 
summarizes some remarks | got when checking out how to install the GNOME 


desktop environment on a FreeBSD box. 


here are a few reasons | can think of. For one, | 

have been using GNOME quite extensively over the 

last two years and it is a desktop environment | can 

work with without wondering where function x or y 
is. Secondly, the KDE desktop has been undergoing some 
serious changes since launching KDE 4.0. And while KDE 
4.2 is shaping up nicely, it still has some rough edges that 
stop me from trying it for day to day use, which is especially 
important since | sometimes need to finish work, instead of 
playing around with the box to get things working. And finally, 
there is always the because it’s there argument. If it can be 
done, it begs to done. 

In this article we will see how the GNOME desktop 
environment can be installed on a FreeBSD-based box and 
how the installed desktop compares to some siblings in 
Linux. 


Snags and shortcuts 

The first requirement to try out GNOME on a FreeBSD box is 
a working FreeBSD box. Which | had until | borked it big time. 
With a rapidly approaching deadline | went for the alternative: 
getting a prepared virtual machine online. 

For this article | used two available virtual machines. On 
bagvapp.com you can find a few dozen virtual machines, 
mostly Linux, but also OpenSolaris, FreeBSD 71 and, if you 
are so inclined, Windows 7 beta. The FreeBSD VM is about 
900 Mb and takes up 4.5 Gb on your hard drive. It has been 
tweaked here and there, but it works and it has the looks 
(Figure 1). 

The second virtual machine was already on my box, based 
on the PC-BSD 702 DVD, though you can download a virtual 
machine directly from the PC-BSD website. It gave an excellent 
Opportunity to test the PBI that delivers GNOME to users 
(Figure 2). 


Method 1: Using the PBI on PC-BSD 

The repository for PBI’s (htto:/Awww.pbidircom) has a package 
to install GNOME 2.22.3 on your PC-BSD box. PBI’s, PC-BSD 
Installers or push-button installers, are an easy way to install 
new software. They contain all the needed files and libraries 
and are self-contained. Installing a PBI doesn’t affect the 
underlying FreeBSD system and the software installed via 
packages or ports. 

The GNOME PBI is 425 Mb and reduces installing the 
GNOME desktop environment to downloading, double-clicking, 
entering your root password and following the steps in the 
wizard. The installation begins with a warning message that 
this PBI is considered experimental. The next step that requires 
qd user intervention is the question whether the GNOME Display 
Manager (GDM) should replace the PC-BSD KDE Display 


Figure 1. The FreeBSD virtual machine from Bagvapp.com is a pleasant and 


easy way to try out FreeBSD proper 
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Manager (KDM). Selecting no will add 
GNOME as option in the Sessions menu 
of KDM (Figure 3), which is visible after 
rebooting. 


Another method, to be used on 
FreeBSD proper, is outlined on 
the FreeBSD GNOME page _ (http: 
//www.freebsd.org/gnome/). You can 
install GNOME either using ports or 
packages. | can clearly remember 
taking the ports route to get the 
GNOME desktop environment and 
considered it a bit too time consuming 
for this article. Installing the desktop 
via packages is simple enough. You 
need to open a terminal and give 
yourself root rights with: 


and entering your root password. 
To install GNOME you enter: 


# pkg add -r gnome2 


Once this is finished you repeat this for 
additional collections, 


gnome2z-fifth-toe 
gnome2-powertools 
gnomez-office 
gnomez2-hackertools 


The fifth-toe collection contains programs 
like Pan (newsgroups), Liferea (RSS 
feeds), Xchat (IRC), Pidgin (IM), Bluefish 
(web developement), Galeon (browser), 
Inkscape (vector graphics) and GIMP 
(raster graphics). The office collection 
provides the GNOME office applications 
like Abiword and Gnumeric. Both power- 
tools and _ hacker-tools are geared 
towards the more adventurous users. 

Installing GNOME via packages 
was hardly a problem. Granted, the 
need to use the commandline would 
shy away users coming from Windows, 
but wouldn't be big deal for somewhat 
more experienced Linux users. The 
new desktop environment was added 
automatically to the existing KDM of the 
Bagvapp virtual machine. 

The solution was to change the 
PACKAGESITE environment to so-called 
Tinderbox. For this you need to open a 
terminal. Then, as user, enter: 


GNOME desktop on FreeBSD 


#export PACKAGESITE=http:// 
www.marcuscom/tb/packages/7.1-FreeBSD/ 


Latest 


After that, give yourself root rights and 
install the various gnome2 packages. 

This isn’t the case with less-tweaked 
FreeBSD installs. There you have to 
manually edit the /etc/rc.conf file and 
add the following line: 


gnome-enable="YES” 


to start up the needed services. There 
was only one issue. The FreeBSD 
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Under PC-BSD you open a terminal 
(e.g. Konsole), give yourself root rights, 
and then enter. 


# setenv PACKAGESITE ftp:// 
ftp.freebsd.org/pub/FreeBSD/ports/ 
i386/packages-7.1-release/Latest/ 


After that you use: 


# pkg add -r gnome2 


to install the GNOME desktop. Actually, | tried 
both 70-release and 71-release, but each 
resulted in warnings about dependencies, 
sometimes resulting in failures to install a 
package. The dependencies referred to 
versions that were slightly younger or older 
than available in the release. Both times 
| didnt get a working GNOME desktop, 
which made me feel glad to have used 
cloned virtual machines for this set of 
experiments. 


td Shell - Konsole 


Session Edit View Bookmarks Settings Help 


bagvapp# pkg add -r gnome2 


Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7. 
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Figure 5. The GNOME desktop on PC-BSD 
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Looks, feels and comparisons 
Installing the desktop environment via PBI 
(on PC-BSD) or packages (on FreeBSD) 
both result in vanilla GNOME desktops 
with their clean panels and menu’s. The 
PC-BSD desktop, which seemed quite 
organized while using KDE, re-appeared 
with a cluttered desktop (Figure 5) 

One of the things | immediately 
liked was the separate KDE entry in 
the applications menu. On my Ubuntu 
box, with three desktop environments 
(GNOME, KDE and Xfce), the KDE 
applications are mixed with all the 
other applications. This makes for a 
very full menu tree, so it was nice to 
see a separate KDE entry. The top panel 
contains entries to Applications (where 
you can find your.. well, applications), 
Places (shortcuts to folders and 
partitions) and System, which offers 
access to various tools for settings and 
management tasks. Anyone who has 
some experience with GNOME desktops 
would feel at home. The desktop might 
look a bit plain, but a trip to www.gnome- 
look.org, where loads of themes and 
iconsets are available, should solve that. 

When you install all five meta- 
packages (gnome2, gnome2-fifth-toe, 
gnomez-office, gnomez-hacker-tools 
and gnome2-power-tools) you get a 
complete environment for both mediocre 
and more advanced tasks. Personally, 
| don’t like all of the choices that were 
made for GNOME 2.24. For instance, 
replacing Pidgin as the default IM-client 
with the Empathy IM-client didn’t cut it 
for me. It wasn’t as stable as | want it 
to be, but as long as | can install Pidgin 
alongside it | don’t mind it’s there. Ekiga 
(formerly GnomeMeeting), the open 
source alternative to Skype, has reached 
version 3.0, so videoconferencing is now 
possible. Abiword and Gnumeric are two 
light-weight but fully functional programs 
for wordprocessing and spreadsheets, 
and Evolution is a powerful program 
for e-mail and calenders. And, if you 
do like the GNOME desktop, but not 
the GNOME-based programs, you can 
continue working with the KDE-based 
alternatives. 

This doesn't mean all is well. BPM, 
the graphical front-end to install ports 
under PC-BSD, wouldn't launch on the 
GNOME desktop, nor would the System 
Manager. Both programs require the 
kcmshell and this appears not to work 


under GNOME. The Bagvapp virtual 
machine, FreeBSD 71 proper (Figure 6), 
wouldn't allow me to use the functions 
under Systen»Administration, functions 
that would normally result in a request to 
enter the root password. 

The GNOME desktop is used as 
default by quite a few Linux distributions, 
like Ubuntu, OpenSUSE, and Fedora 
(Figure 7). For each of them it isn't a 
problem to install and use the KDE 
desktop. What are the major differences 
between the FreeBSD GNOME desktop 
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and these three others? For starters, each 
of these Linux distributions has graphical 
frontends for various management tasks 
like installing and removing software and 
managing users. 

How far the GNOME desktop can 
be customized is shown by OpenSUSE 
(Figure 8). Instead of two panels (one 
at the too and one at the bottom of 
the screen), there is one at the bottom. 
Clicking on Computer reveals the slab, 
the default menu panel, with an overview 
of favorite and recently used applications. 
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Figure 8. OpenSUSE has a customized GNOME 
desktop 


Conclusions 

Getting GNOME up and running on your 
FreeBSD-based box doesnt require 
much. When you are using PC-BSD it is 
enough to get the PBI and on FreeBSD 
proper the packages are waiting. 
Granted, installing packages does 
require some commandline skills, but 
either way, you have a functional GNOME 
desktop in less than half an hour. It was a 
bit disappointing not being able to install 
GNOME via packages on PC-BSD, after 
having to change the PACKAGESITE 
environment in order to get the packages 
in the first place. 

However, both PC-BSD and FreeBSD 
users can get a vanilla GNOME desktop 
and almost all tools they need in order to 
get work done. What is lacking the most 
for perfect end-user satisfaction is a 
good default graphical tool for installing 
and removing software, either for the 
ports or the packages, (though | do have 
a slight preference for the packages, 
since it makes for a faster install). 

One thought did come to the fore 
while working with the GNOME desktops. 
The KDE desktop is progressing rapidly 
(and | did look at the KDE 4.2 desktop 
on PC-BSD 71 alpha 1 while playing 
around for this article) and the GNOME 
desktop is a mature, solid and complete 
environment. Both desktops still have 
issues that need to improve in order 
to be end-user friendly. Mind you, | 
define end-user as a_ non-technical 
user that works with computers to get 
tasks done. But, the level of maturity is 
such that both GNOME and KDE are 
fine desktop environments regardless 
of the underlying operating systems, 
be they Linux or BSD (perhaps even 
OpenSolaris). This might not suit the 
evangelists of the various open operating 
systems, but it does open new avenues 
for new groups of FreeBSD users. 
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Packaging 


Software 


for OpenBSD - Part 2 


Edd Barrett 


In the last article in this series, we looked at a simple OpenBSD port. Now we will 
move on to some more advanced features provided by the ports system in order to 


package software with more complex needs. 


fter reviewing the ports | could have used as an example, 
| decided it would be more effective to introduce the 
features individually, rather than to introduce a very 
complex port encompassing all features. 


Dependencies 

Often a piece of software requires the functionality of another 
package in the ports tree. You can define a number of 
dependencies in your portS makefile and the ports system 
will ensure the necessary software is available. Dependencies 
manifest themselves in 4 ways: 


BUILD DEPENDS — Programs which are needed at build time 
of the package, but not at run time. Build dependencies 
are installed before the port starts building. 

LIB DEPENDS — Shared libraries which the program links. 
These get installed before the port is built and are needed 
at runtime too. 

RUN_DEPENDS — Programs which are needed at runtime for the 
software to work. These get installed at package install time. 
WANTLIB — Indirectly linked shared libraries and system 
libraries. By this we mean libraries linked by other library 
dependencies and libraries in the base system which are 
not provided by ports. 


The format of these variables is well explained in the - 


bsd.port.mk (5) Manual page, which by now you should have 
realized is a very valuable resource for porters. 


It is very important that you take some time to check that - 


your port will not link any unexpected libraries that the GNU 
configure script may automatically pick up, as this will lead 
to your binary package linking different libraries depending 
upon what libraries the build machine has installed. To be 
safe you can disable all features you never want enabled 


USING CONFIGURE aRGs. Usually you can use --without-xxx OF 
~-disable-xxx to disable optional features and similarly -- 
with-xxx Of --enable-xxx to ensure certain functionality is built 
in to the software you are building. In general be as explicit as 
possible. Dependency examples: 

LIB DEPENDS = mad.>=2::audio/libmad 
BUILD DEPENDS = ::devel/cmake 
RUN DEPENDS = ::devel/ectags 

The command make port-lib-depends-check can be used 
to check for missing/extra library declarations in your 
Makefile. Take a look at the library-specs(7) ANd packages- 
specs(7) manual pages for further information on port 
dependencies. 


Patching 
If a port requires modifications to its source code in order 
to build on OpenBSD then you will need to use the patching 
facilities of the ports system. 

Adding a patch to a port is simple. Consider we want to 
make a patch to the configure script of a piece of software: 


First extract the port and apply any already existing 
patches using make patch in the ports directory. 

Now ca into the sources, which are inside the wrxprr, for 
example version 2.0.9 of a port named ‘nano’ would usually 
extract it's Sources under w-nano-2.0.9/nano-2.0.9% 

Copy the existing version of the file we wish to patch 
to a new file with .orig appended. Eg. cp configure 
configure.orig. 

Now in the port's directory, run make update-patches. Ports 
will now generate a patch for your changes and inform 
you that it is about to launch you into an editor You can 
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now hit enter and review the patch. 
You will find the patch in the patches 
directory of the port. 


Ports which 

Install Shared Libraries 

Some ports will attempt to install shared 
libraries, in which case some special 
handling by ports is required. 

First of all you should inform ports which 
libraries the port is going to install, this is 
fairly straight forward and will be explained 
using the gettext (internationalization lib- 
rary) port (see Listing 1). 

As you can see, gettext installs 
5 shared libraries, but what are the 
numbers all about? When a port with 
shared libraries is first included in the 
OpenBSD ports tree, its shared library 
version starts at 0.0. Subsequent 
updates to such a port will then have 
it library versions bumped and the 
rules for doing so are well documented 
at http://www.openbsd.org/porting/ 
libraries.Atml . The numbers in the 
comments are the release versions 


Listing 1. Gettext 
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Listing 2. Tex Live Port subdirectories 

# SOpenBSD: Makefile,v 1.3 2008/10/21 
SUBDIR += base 
SUBDIR += texmf 
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Listing 3. Package flavors in the mpd port 
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as per the library authors release, 
not the OpenBSD library versions. It is 
considered good practice to comment 
SHARED LIBS in this way. 

The next thing to check is whether 
the port uses GNU libtool to help 
generate shared libraries. The tell tale 
sign of this is that there are scripts 
called iibtooi dotted around in the 
build directory after make 
complete. You could use find 
'libtool' to verify this. You may also 
wish to log the output of a port build 
(make build 2>&1 | tee Loc) and search 
inside the log for libtool invocations. If 
you find your port using libtool, be sure 
to set USE _LIBTOOL = Yes IN your port 
Makefile, Causing OpenBSD’s custom 
/usr/local/bin/libtool to be used 
instead. If you don’t do this, the library 
versions declared with sHarED LIBS may 
not be correct. 

After the above steps, make update- 
plist should create a _ file called 
PFRAG.shared in the ports pkg directory, 
listing shared libraries to be installed. 


configure is 
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Multiple Packages 

from One Port 

Often it makes sense to for one port to 
generate a number of binary packages. 
The ports system provides’ three 
methods of doing so: subdirectories, 
multi-packages and flavors. 


Subdirectories in Ports 

Subdirectories allow a port to have 
subdirectories, each with its own 
Makefile, patches and_ packing _ list. 
Subdirectories are typically useful when 
a piece of software is comprised of 
many packages, each distributed in 
separate source tarballs. 

Implementing such a port is trivial 
and is best explained with an example. 
The TeX Live port uses subdirectories as 
follows (see Listing 2). 

In this example, the folders base 
and texmft are processed sequentially 
when make iS run in the’ ports 
directory. Please note the inclusion of 
bsd.port.subdir.mk IS required in order 
for this to work. 

Another feature provided by 
ports, which can be used along side 
Subdirectories, is the 
file. This is basically a makefile stub, 
which gets included 
Subdirectories. How is this useful? 
Usually the maintainer of each 
subdirectory is common and can go in 
tO O Makefile.inc, for example. You can 
use any ports system makefile variable 


IN Makefile.inc. 


Makefile.inc 


IN Makefiles IN 


Package Flavors 

Package flavors can be used to make 
multiple packages from one port when 
a separate packing list is not required. In 
other words, flavors enable you to make 
multiple versions of one package. Most 
commonly this is to provide packages 
which are compiled with different 
features and dependencies enabled. To 
choose which flavor of a port to build, 
the FLavor environment variable is set, 
for example: env FLAVOR=no_x11 
install. If the riavor variable is not set, 
then the default flavor is built. 

To make use of package flavors, 
first a list of possible flavors (other than 
the default flavor) and the default flavor 
(rFLavor ?=) must be defined. For example 
the Music Player Daemon (mpd) port 
can be built with optional tremor support 
(see Listing 3). 


make 
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Now you can conditionally execute 
parts of the port Makefile based upon 
the flavor the build is requesting, using 
the .if ${FLAVOR:L:M<flavor>} Construct. 
Using the mpd port as an example again 
(see Listing 3). 

In the above example, if the tremor 
flavor is selected, some 
arguments are added to enable tremor 
Support and to disable oggflac and 
Shoutcast support, then the _ library 
specifications are updated accordingly. 
When using make 
check, be sure to run it once for each 
flavor to avoid library specification 
errors. See the bsd.port.mk (5) Manual 
page for more information on flavors 
(FLAVORS AND ~~ MULTI_PACKAGES 
section). 


configure 


port-lib-depends- 


Multi-Packages 

Multi packages are used when you 
want to make multiple packages from 
a single port and each package needs 
its own packaging stage. This method 
is often used to split software from one 
source tarball into separate counter- 
pieces, for example server and client 
packages. 

First of all, a list of possible packages 
is defined. Notice how multi-package 
names start with a dash, so they are 
not confused with flavor names. The 
following example is a snippet from the 
MySQL port: 
MULTI. PACKAGES = “Main “Server —teSsts 
Now multi-oackage specific variables 
may defined: 
COMMENT-main = multithreaded SQL 
database (client) 

COMMENT-server = multithreaded SQL 
database (server) 
COMMENT-tests = multithreaded SQL 
database (regression test suite) 

The default multi-package name is -main, 
which will generate a package postfixed 
as such. You may wish to create a more 
suitable package name (as MySQL 
does), for example pxcnamE-main = 
mysql-client-${VERSION}. 

As mentioned briefly before, each 
multi-package has its own packaging 
stage, which implies that each multi- 
package will have its own packing list 
and description (optionally also shared 


library list and (un)install messages). So 
using the above example we expect at 
least O DESCR-main, PLIST-main, DESCR- 
server, DESCR-tests 
and purst-tests file to exist in the pkg 
directory of the port. As it happens, the 
server component displays a message 
USING CO MESSAGE-server file too, but this is 


purely optional. 


PLIST-server, 


Modules 

The concept of modules’ was 
introduced back in OpenBSD 3.x so 
that commonly used makefile Snippets 
could be atomically grouped for 
inclusion elsewhere in the ports tree. 
The OQT4 module is a good example. 
Ports which build against QT4 always 
have some common elements such 
as build and library dependencies, 
environment variables and configure 
arguments. 

For this reason the common 
elements were grouped together in 
/usr/ports/x11/qt4/qt4.port.mk and 
ports wishing to build using QT4 can 
now simply include this module and 
not have to worry about duplicating 
all of the common elements. For 
example the QOCA2 port uses the 
xll/qt4 module: mMopuLES = xll/qt4. 
Further information on port modules 
is provided 
manual page. 


in the port-modules (5) 


Getting Your Port In-Tree 

If you think your port will be useful to other 
users and has been tested on -current 
(and if possible, a couple of different CPU 
architectures), then consider submitting it 
to the ports mailing list for review. There 
are a few conventions used here which 
you should follow: 


The subject line should start with the 
words NEW or UPDATE then the name 
of the port, for example new: firefox 3 
For new ports, which are not already 
in tree, attach a .tar.gz of the port. 
For port updates, mail an_ inline 
unified diff. 

Always email in plain text 

Dont top post. See _http://en. 
wikipedia.org/wiki/Posting_style# Top- 
posting 


Another thing to note is that if you take 


maintainershio of a port, you will be 
expected to keep it up to date and fix any 
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issues which may crop up. If you don’t 
want to be held responsible, you can 
Omit MAINTAINER from your pOrt Makefile. 
In such a case, the port becomes the 
responsibility of no-one in particular. 
Generally ports with maintainers are 
preffered, as issues can be emailed 
directly to the maintainer and therefore 
be addressed quicker. 

lf your portis of high enough standard, 
a developer will take it and perform the 
necessary CVS operations for you, but 
only once they have been given the OK 
from another developer. Once your port 
is in tree, binary packages for your port 
will begin to appear in the snapshot 
packages directory on the OpenBSD FIP 
servers. 

See the OpenBSD web page on 
information of how to subscribe to the 
ports mailing list. 


Conclusion 

You should now have a fairly good 
understanding of how to package 
third party applications for OpenBSD. 
Of course we have barely scratched 
the surface. | strongly encourage 
that developers wishing to get into 
this seriously, have a good read of 
bsd.port.mk(5) Gnd subscribe to the 
ports@openbsa.org mailing list, to start 
testing other peoples ports. | hope you 
learned something or at least found the 
articles interesting to read. Happy port 
hacking people! 
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Eric Schnoebelen 


A Jabber 


Data Transfer component 


So | can chat, but how do | send a picture to Mom? So, you've got your Jabber server 
up and running, the family using it, and you're still in contact with your friends on the 


walled garden networks. 


ou're having family meetings in using a conference 
room (never mind that little Sally is off at college, and 
little Jimmy is doing foreign exchange in Bolivia), and 
all the family communications are secure. 

Now Little Jimmy wants to send mom a picture of the 
wonderful casserole he made. But when trying to do a file 
transfer directly between the two clients, the transfer bombs 
out. All the computers at the house are NAT’d behind one 
router, and much of Bolivia seems to be behind another NAT 
device. What's the family sysadmin to do? 

If you're like most people, your workstations/computers are 
behind something like a NAT/PAT router mapping all of your 
client workstations to a single public IP address. While this is 
wonderful for protecting hosts and conserving IP addresses, 
it makes point to point file transfer between two client behind 
such devices nearly impossible. 

Enter XEP-0065, The SOCKS5 Byte-streams XMPP extension. 
Itis designed for establishing out-of-band byte-streams between 
users. The byte-stream can be either direct (peer-to-peer) or 
mediated (through a proxy server). The mediated model is what 
is used when both clients are behind NAX/PAT devices. 

XEP-O065 is purely for file transfers, and other bulk 
data transfers. It is supported by a wide variety of clients. 
For real time audio and video conferencing over XMPP. a 
different set of protocols is being defined and refined. That 
protocol suite is called Jingle, and its development is being 
Supported by Google, as part of Google’s GTalk offerings. 
We'll discuss Jingle further in a future article (as soon as 
| find a component implementation for Jabberd2). Back to 
XEP-O065. 


Implementing XEP-0065 
A XEP-0065 proxy server has been implemented in Python, 
using the Twisted framework. We talked about using Twisted 


and Twisted’s server features when building, installing, and using 
palaver. Proxy65 (found at http://proxy65.googlecode.com/ 
files/Proxy65-12.0.tgz) uses the Twisted plug-in/services 
architecture, just as palaver did. 


Obligatory pkgsrc 

As you should expect by now, proxy65 can be found in pkgsrc, 
in the wip category (at the time of writing). It can be found 
GS py-jabber-proxy6é5. Building from pkgsrc is just as with 
everything else pkgsrc, change to the directory, type [b]make 
install, and youre ready to fly. Skip down to the Configuration 
section to learn how to configure Proxy65. 


The hard way 

If you haven't installed any of the previous Twisted 
applications, then you'll need to download the current 
edition of Twisted (8.1.0 as of this writing) from http: 


4 G | Bh ts | Eric 
Address: jabber.crr com ~ Node: ¥ Browse 
Name JID | Node 
he Vabber Int server jabber .cirr.com 


+ J AIM Transport 

+ -fsfJabber IM server 

+ -@ Ica Transport 

+- [2 MSN Transport 

+- ZR Multi-User Chat Service 

+ Pubic Chatrooms 

e *, SOCKSS Bytestreams Service 
+- Y Yahoo! Transport 


am jabber .crr.com 
jabber .cirr corm sessions 
ioq jabber.c#rr com 
msn Jabber .cirr.com 
chat jabber cirr.com 
conference Jabber cirr.com 
proxy jabber .cirr.com 
yahoo jabber .cirr .com 


Auto-browse into objects 


| Automatically get item information 


[rst | Close 


Figure 1. SOCKS5-service-discovery 
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//tmre.mit.edu/mirror/twisted/Twisted/ 
8.1/Twisted-8.1.0.tarbz2 and install it 
using the standard Python installation 
dance of: 


burzip2 Twisted-8.1.0,.tar.bz2 
tar xf Twisted-8.1.0.tar 

cd Twisted-8.1.0 

python setup.py build 

sudo python setup.py install 


No further configuration of Twisted is 
needed. Now that Twisted is installed, 
you need to grab the Proxy65 sources 
from http://proxy65.googlecode.com/ 
files/Proxy65-1.2.0.tgz, and do the same 
Python installation dance of: 


gunzip Proxyos-1.2.0/tgz 

tar xt Proxy65-1.2.0.tar 

ed Proxy6s—1.2.0 

python setup.py build 

sudo python setup.py install 


Fortunately, for well-written Python 
modules, build and installation is very 
straightforward (and both Twisted 
and Proxy65 are well-written Python 
modules). 


Configuring Proxy65 

All the configuration for Proxy65 is done 
via the Twisted manager command line. 
If youve built from pkgsrc-wip, a startup 
script for NetBSD’s rc startup system has 
been installed as /usr/pkg/share/exampes / 
rc.d/proxy65. The installation message 
describes the variables needed to set it up. 
To properly configure Proxy65, you need to 
have the following information: 


The shared secret for talking to 
your jabberd2 router component. 
(required) 

A group of address/port pairs to be 
advertised/used as data transfer 
addresses/ports (required, must be 
the public IP address, and the ports 
must be open) 

The Jabber ID for the proxy server, 
as a fully qualified domain name. 


(optional, defaults to Proxy65, 
unqualified) 
The name of the host where 
the jabberd2 router component 
is running (optional, defaults to 
localhost) 


The port for connecting to the 
jabberd2 router component (optional, 


Getting more Twisted in Jabber s 


Connection 


Use hostname as resource 


Resource: | Office@ Home Priority: 


Data Transfer Proxy: |proxy jabber cirr.com| 


|_| Authenticate as: 


Figure 2. Psi-Account-Properties-Misc 


Listing 1. Begin: Example configuration settings 


"JabberIsGreat" 
1926 iO 5 elas OG oO Gi 6s a Selo 


Shared secret: 
address/ports: 
Proxy (1D: Proxy. jabber. cirer com 
Jabber host: Jabber lcir rr. com 
Jabber port: 5347 


Log file: /var/log/jabberd/proxy.log 


PID file: /var/run/jabberd/proxy.pid 


user: jabberd 


(Yes, this command line is going to be long!) 


Listing 2. Begin: twistd command line for Proxy65 


Sudo EWwilstd \ 
--uid=jabberd \ 
--logfile=/var/log/jabberd/proxy.log \ 
--pidfile=/var/run/jabberd/proxy.pid \ 
Proxyos \ 
=—j 10-9 LOxy.jabber.cirr.com \ 
--secret='JabberIsGreat' \ 
==—(pore—5347 \, 
=-rhost—jabben.cairr.com. \ 


~-proxyips=192.67.63.14:8160,192.67.63.14:8161 
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defaults to 6000, jabberd2’s router 
component listens on 5347) 

Path to the file where you want to 
stash the Proxy65 process id 

Path to the file where you want to 
have twisted log events related to 
Proxy65 


Executing user for the Proxy65 
component 
One addition to your DNS 


configuration is going to be required. 
A hostname for the proxy service/ 
server needs to be added to your DNS 
configuration so outside users can find 
the proxy server This needs to be a 
routable, public IP address. 

You're also going to need to modify 
your firewall or NAT device to let the 
ports listed above be for proxy use. 
Given the wide variety of devices out 
there, you'll have to figure that one out 
on your own. 


Assuming the following settings, |'ll 
provide a demonstration command line 
(see Listing 1). 

Twisted breaks the command line 
up in to two segments. The generic 
Twisted arguments (user id, log file, pid 
file) and the Twisted application-specific 
arguments (in this case, all the Jabber 
stuff). With that said, here’s our command 
line (See Listing 2). 

That's a pretty ugly command line, 
so you probably want to roll it into a 
Shell script to be used at system boot, 
or whenever you need to restart the 
proxy, 

With the proxy running, when your 
favorite Jabber client does service 
discovery, it should show a new service 
of SOCKS5 Bytestreams Service. See 
Psi’s service discovery screen (Image 1), 
the new SOCKS5 Bytestreams Service is 
highlighted. 


Basic Advanced 


XMPP Options 
(J Require SSL/TLS 


Connect port: 


Connect server: 


Proxy Options 
Proxy type: 


Figure 3. Pidgin-Advanced-Account 


(] Force old (port 5223) SSL 


_] Allow plaintext auth over unencrypted streams 


[5222 
File transfer proxies: |proxy.jabber.cirr.com| 


Show Custom Smileys 


Use Global Proxy Settings v | 


_] Create this new account on the server 


% cancel | iy Save | 
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Configuring Clients 

The final step to using the proxy service 
is to configure the clients to use it. That's 
usually defined on a per server/account 
basis. 

In Psi, the data transfer proxy is 
defined on a per account basis. On the 
Account Properties window's misc. tab, 
the pata Transfe Proxy setting needs to 
be filled in with the Jabber ID of the proxy 
we defined earlier. (in the example, it is 
proxyjabbercirrcom). The screen shot 
below shows setting the Data Proxy in 
the misc tab (Figure 2). 

In Pidgin, the data transfer proxy 
is defined on the Advanced tab of the 
Modify Account screen. The proxy is 
defined in the File Transfer Proxies: 
element. The screen shot below shows 
this tab in Pidgin. 

Other IM clients have — similar 
configuration screens and options to set 
up the data transfer proxy. 

To use the proxy, just select File 
Transfer (or Send File, or similar) from 
your chat window, and the client and 
proxy will do all the work! 


Upcoming Topics 

In future articles, I’m planning on 
describing how to implement a web- 
based Jabber client, implementing 
a publish-subscribe component for 
jabberd2, and writing a XMPP bot. If 
there are Jabber/XMPP topics you'd like 
to learn more about, let me know, via 
email as jabber@cirrcom, or catch me 
on XMPP as eric@jabbercirrcom. 


eo 
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SHORT NEWS 


DRAGONFLYBSD 


DragonFlyBSD is a BSD-centric operating 
system project now in its fifth year of operation. In 
February DragonFly came out with its 2.2 release, 
also known as the second HAMMER release. This 
release contains a large number of stability and 
performance improvements over 2.0, improved 
package-source (pkgsrc) compatibility, many new 
and improved network drivers, and DragonFly’s 
new HAMMER filesystem. 

The HAMMER filesystem offers automatic 
Snapshotting, fine-grained history retention, undo, 
and mastermulti-slave mirroring capability. All 
functions can be accessed via the live filesystem. 
The mirroring support includes a non-queued, 
bandwidth-controlled streaming update capability. 
It also sports instant boot-time crash recovery, 
Multi-master clustering and mirroring are still 
on the drawing board and a year or two away 
from deployment at the very least, but all other 
filesystem goals have been met. Unlike most 
conventional filesystems, HAMMER does not like 
to delete physical data. Fine-grained historical 
data retention becomes more coarse-grained 
during nightly maintainance and deleted data 


FREEBSD FOUNDATION 


The FreeBSD Foundation is in our 10th year of 
Supporting the FreeBSD Project and community 
worldwide! We were founded to fill the need for 
an outside organization that could support the 
community's vision and growth. Since then we 
have been actively involved in supporting three 
major areas: developer communication, handling 
legal issues, and funding development projects. 

Over the last year we have: Sponsored FreeBSD 
related conferences like BSDCan, EuroBSDCon, 
AsiaBSDCon, meetBSD, and NYCBSDCon. We also 
sponsored FreeBSD developer summits in Ottawa 
and Cambridge. 

Provided 23 travel grants and 
funding to individuals to attend 
these conferences. 

Provided legal Support 
for the project on issues like 
understanding the GPLv3 impact 
on FreeBSD, providing a privacy 
policy, trademark ownership 
and permission, and other legal 
issues that come up. 

Provided grants for projects 
that improve FreeBSD, like Java 


ultimately falls off the disk after its snapshot life is 
exhausted (typically in the hundreds of days). For 
this and other reasons HAMMER is designed to 
operate with large disk partitions. It really only gets 
comfortable with a few hundred gigabytes and 
has a design capacity of 1 Exabyte. The filesystem 
itself utilizes 64 bit dynamically generated inodes, 
64 bit file offsets, and a 64 bit byte-offset device 
API. HAMMER is not a RAID subsystem 
and does not implement soft- 
RAID features as 
would be found in 
something like ZFS. 
Ultimately HAMMER is 
designed to become 
a cluster filesystem 
with quorum-based 
redundancy. Most of HAMMER’s 
on-media data structures revolve 
around a per-filesystem B-Iree. 
Matthew Dillon 
www.dragonflybsd.org 


binaries, Network Stack Virtualization, Improving 
Hardware Performance Counter Support, making 
improvements to the TCP stack, Safe Removal 
of Active Disk Devices, and Improvements to the 
FreeBSD TCP Stack. 

Provided equipment for developers working 
to improve FreeBSD and projects like the NetPerf 
cluster. 

As a 501(c)3 charity, all of our work is funded 
by donations. To find out more about what we are 
doing or to make a donation, please visit www.free 
bsdfoundation.org. 
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Building a FreeBSD 


Wireless Router 


Eric Vintimilla 


Why use a FreeBSD machine as a wireless access point? Don't most Internet Service 


Providers give you a free modem/router? 


hile this may be true most of the time, it is not 
always the case. Besides, building your own is 
easy, and it gives a great deal of options for both 
System Administrators and control freaks alike! 
Most routers offer some basic functionality, but the 
possibilities are limitless with a home-built FreeBSD wireless 
access point. You can set up highly specific packet filtering 
rules, monitor traffic, email yourself custom reports, and even 
set up internal bandwidth limits. Plus, being able to SSH into 
your router is an added bonus! 


Requirements 

First and foremost, you must have a spare computer with 
FreeBSD installed. This machine also has to have both a 
wireless card and a wired NIC. An extra laptop makes a 
great access point, since it takes up much less space than a 
desktop computer, especially if you stand them on their side. 
Software requirements will vary depending on what added 
features you wish to have, but a basic setup will require pe, 
bind, isc-dhcp40-server, ANd hostapa. 


Installing the necessities 

In order to make our wireless access point work properly, we 
will have to add a couple of packages to our system. First, 
check to make sure that bind is installed: 


[blendax@moe ~]# named -v 


BIND 9.4.2 


If you get a command not found message, then you'll have to 
add it: 


[blendax@moe ~]# sudo pkg add -r bind9 


Once the package is added, check for hostapd (which is 


part of the FreeBSD base): 
[blendax@moe ~]# hostapd -v 
hostapd v0.5.8 


User space daemon for IEEE 802.11 AP management, 


TEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator 


Copyright (c) 2002-2007, Jouni Malinen <j@wl.fi> and 


contributors 


lf you get an error message, you most likely have a minimal 
install. You will either have to add it to your system by using 
sysinstall to add some distribution sets or you can ftp into 
fto.freebsd.org 

According to the FreeBSD Handbook, since the release 
of FreeBSD 5.3, PF has been included in the basic install 
as a separate run time loadable module. The system will 
dynamically load the PF kernel module when the rc.cont (5) 
statement pf enable='yvEs' iS present. However, we want 
pf to use the ALTO framework, which is used for queuing 
network packets. 

In order to enable this, we'll have to customize our kernel 
to include pf support. Luckily, this task is not as bad as it 
sounds. First, make sure you have the kernel source code. 

It can be found in /usr/src/sys. If you don't have it, you'll 
have to get the latest source using your favorite method of 
source synchronization. 

Once you have the latest source, go to kernel configuration 
directory. Then, make a copy of the GENERIC source, since 
we're going to use that as our base. 


[blendax@moe ~]# cd /usr/src/sys/* uname -m°>/conf 


[blendax@moe ~]# cp GENERIC CUSTOM 


Now, edit the CUSTOM file and add the following lines to the 
end of it: see Listing 1. 
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If you do not want to use ALTO, you 
can omit the last seven options. 

Now, we're ready to recompile! Start 
by typing the following: 


[blendax@moe ~]# cd /usr/src 
[blendax@moe ~]# make buildkernel 
KERNCONF'=CUSTOM 

[blendax@moe ~]# make installkernel 
KERNCONF'=CUSTOM 

have to 


Once its finished, you will 


reboot: 
[blendax@moe ~]# shutdown -r now 
That is it for the kernel recompilation! 


Setting up your wireless card 

If you already have your wireless card 
working properly, you can skip this 
step. Otherwise, the first thing you will 
need to know is what kind of wireless 
card you have. More specifically, you'll 
need to know what kind of driver your 
card uses. Usually, wireless cards will 
use either the ath driver for Atheros 
hardware or the wi driver for those 
based on the Lucent Hermes, Intersil 
PRISM, and Symbol Spectrum24 
chipsets. 

Check the man pages for these 
drivers for a comprehensive list of 
supported hardware. If your wireless 
card does not fall into either of these 
categories, your best bet is to go to 
the manufacturers Web site and look 
for FreeBSD drivers. If they do not 
offer them, you'll have to download the 
Windows drivers and use FreeBSD’s 
handy ndisgen tool to convert them. For 
example, | have a really old laptop that 
uses d Dell TrueMobile 18350 PCMCIA 
Wireless Adapter (don’t laugh). Luckily, 
ndisgen worked like a charm. Check its 
man page for more information. 

For the rest of this article, | will be 
using the wi driver. If your hardware 
requires the ath driver, the steps should 
be similar The first step is to load 
the kernel module. To do this without 
rebooting, type: 


[blendax@moe ~]# kldload if wi 


However, we want this to automatically 
turn back on in case we have to reboot 
our machine, so enter the following line 
tO /boot/loader.conf: 


Building a FreeBSD Wireless Router 


Listing 1. Kernel configuration 


device pf 
device pflog 


device pfsync 


options ALT®@ 
OpElons ALTOVCBO 
Opirlens ALTQ RED 
OptElons ALTO RLO 
Options eg tO SIS 
OpEilons ALIC PRI 
OpEens ALLO PNORCE 


Listing 2. Newly created wireless interface 


wi0: flags=8843<UP, BROADCAST, RUNNING, SIMPLEX,MULTICAST> metric 0 
Is 1010) 

ether 00:07:ca:01:e4:9a 

ine LIZ 768 0.10 netmask UxrirrrirO0 broeadeaste 192,168 0.255 

media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11b <hostap> 
Z2Mbps <hostap->) 

SEatUs: assoCctared 

ssid freebsdAP channel 1 (2412 Mhz 11b) bssid 00:07:ca:01:e4:9a 
stationname "FreeBSD WaveLAN/IEEE node" 
authmode OPEN privacy MIXED deftxkey UNDEF wepkey 1:40-bit 


Sscanvalid 60 deamperiod i 


Listing 3. DHCPD configuration 


### GLOBAL SETTINGS 
ddns-update-style none; 
always-broadcasit on; 
default-lease-time 7200; 
max-lease-time 7200; 
authoritative; 
option domain-name-servers 192.168.1.1; 
option domain-name "localnet.localdomain"; 


OpElon mMetoLos—name—-senvers 92 les. iil; 


### Wired Network 

subnet 192.163.0.0 netmask 255.255.2550 4 
tange 097 oe 0 LOO oA Goro, 
erpemon broadcast -address 197,168.02 255; 
SceLom Suber Mask 255.205.6290 .07 
epremom rourers 92. 163.01; 


### Wireless Network 
Subnet, P92 7168.1. 0 netmask 255.-255.255).0 4 


# NOTE: See: wired->range.notes 

pange 92 ioe he POO kom ikGe le LoS, 
Secenon broadcast address 92. 16c. 1.255; 
Scerom Suonertamask 255.255.200.807 
epreiom Troubrers 197. boo. a 


mtu 


(DS/ 
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Tr wi, joag="YEs" 


Another module that is required is wian, 
which offers generic support for 802.11 
drivers. 

This driver is automatically loaded 
when you load wi. Unfortunately, there 
are other drivers that we need, and we 
will have to reboot our machine. Add the 
following to /boot/loader.conf and then 
reboot: 


wlan scan ap load="YES" 


wlan scan sta load="YES" 


wlan wep load="YES" 


wlan _ccmp_load="YES" 


wlan tkip load="YES" 


provides AP mode 
scanning and wian scan sta provides 
STA mode scanning. The last three 
modules provide WEP support, AES- 


wlan scan ap 


Listing 4. Hostapd configuration 


interface=wi0 

driver=bsd 

logger  svyslog=—i 

logger syslog weve l=) 

llegger (srdours i 

logger ss Edoue slevel—0 

debug=3 

dump file=/tmp/hostapd. dump 

etrl interface=/var/run/hostapd 

Cpunl intertace gsoup—-waeel 
ssid=freebsdAP 

macadds vacl—0 

auEh alge =i 

1eee8021x=0 


Listing 5. Start the wireless interface on reboot 
Gaweway (enable "YES 


hostname="freebsdAP" 


Ppeonng el) = "Dice 


PReonig will inet OZ 6s. 0. i neriesk UxsEnErErO0 ssid treebsoAr weomode on 
wepkey 0x1234567890 media DS/11Mbps mediaopt hostap" 


pi ensbile] Vie. 

PUL ruUles=" ere) pl .conm | 

DE Pprogram="/sbim/prerl” 

pf flags="" 
pilogvenable=— Yrs” 

pilogs logile—9/ var) log) pileg” 
hestapd lencabile— YES” 


named enable" Vio” 


dine pd enabile=V¥ns” 
sshdvenable— iis * 


CCMP support, and TKIP (WPA) support. 
If you do not want to set up any type 
of security (for example, if you actually 
want your neighbors to have free 
network access), then you can exclude 
these. In this article, we are going to 
use WEP protection (although, WPA is 
definitely better). 


Creating your access point 
Assuming your wired connection is 
already configured, you can set up your 
access point by typing the following (of 
course you can change the SSID and 
WEP key to whatever you wish): 


[blendax@moe ~]# ifconfig wid inet 
192.168.0.1 netmask Oxffffffo0 

ssid freebsdAP wepmode on wepkey 
0x1234567890 media DS/11Mbps mediaopt 
hostap 
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lf it worked, after you type ifconfig, you 
should something like: see Listing 2. 

Next, were going to enable 
forwarding between interfaces and turn 
on the packet filter: 


[blendax@moe ~]# sysctl -w 
net.inet.ip.forwarding=1 


[blendax@moe ~]# pfctl -e 


Everything appears to be in order. Right 
now we have a basic access point with 
some security. However, we are not 
done yet. Now, we are going to add 
some customizations to our wireless 
router! 

Now, we are going to make some 
customizations to our wireless access 
point. The first task is to update our 
packet filter configuration. Copy the 
second example pt.cont tO /etc/. 


[root@moe ~]# cp /usr/share/ 


examples/pf/faq-example2 /etc/ 


Next, edit the newly created pf.conf 
file. Change the interfaces to your 
wired networking connection. Once you 
make your changes, you can load the 
configuration file into pf by typing: 


[root@moe ~]# pfctl -Fa -f /etc/ 
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In order to dynamically assign IP 
addresses, we have to set up a DHCP 
server. Install the ISC DHCP server. 


[root@moe ~]# cd /usr/ports/net/ 
isc-dhcp40-server 


[root@moe ~]# portinstall -P 


Now, make the following changes in / 

usr/local/etc/dhcpd.conf: see Listing 3. 
We also have to. edit 

hostapd.conf: see Listing 4. 

Finally, add the following to rc.conf so 
the access point automatically restarts if 
you reboot: see Listing 5. 

That's it! After only a few steps, you 
now have your own customized FreeBSD 
access point. There are many more 
things you can do with your wireless 
router, such as setting up SSH access 
and email alerts. The possibilities are 
endless! 
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CPU Scaling 


on FreeBSD UNIX 


Slawomir Wojciech Wojtczak 
(vermaden) 


FreeBSD, as many other today's UNIX systems offer scaling of CPU frequency 
to save power and emit less heat (which indirectly also leads to less power 


consumption). 


omparing to other solutions like Solaris or Linux 

implementations, that directly follow  Intel’s 

defined C-states and P-states for CPU, FreeBSD 

goes a bit further by offering the end user every 
possible frequency that the CPU can run on, this may sound 
misleading, but things will be simple after reading the next 
paragraph. 

Lets check what steps are offered by Intel on T7300 2GHz 
CPU: 800, 1200, 1600, 2000. These steps are supported on 
mentioned operating systems, but FreeBSD offers these on 
the same CPU: 150, 300, 450, 600, 750, 900, 1050, 1200, 
1400, 1600, 1750, 2000 which means that you can save 
even more power and you have a lot more flexibility on 
choosing desired frequency. The same applies to desktop 
Intel microprocessors, that of course support Intel Soeedstep 
technology, while Solaris or Linux use 1600 or 1866 MHz on 
Intel E6320 model, FreeBSD stars at 250... 


Turn It On 

FreeBSD’s powerd(s) daemon that is responsible for frequency 
scaling is disabled by default, to turn it on with default settings 
(which are pretty good by the way) you need to do two things, 
enable powerd(8) service by adding powerd enable="YES" tO 
/etc/rc.conf file, and then start the daemon itself: 


box# /etc/rc.d/powerd start 
Starting powerd. 
box# 


You may check if the powerd(8) daemon is really running by: 
box# pgrep powerd 


893 
box# 


FreeBSD, to support frequency scaling needs to have 
cpufreq(4) Compiled into the kemel (which is default from 71- 
RELEASE) or cpufreq kernel module loaded if it is not compiled 
in. 

You can customize the powerd(s8) daemon to switch to 
higher or lower state at different load of your CPU then the 
default, you will have to uSe powerd flags option at /etc/ 
rc.conf file, below is my example, | encourage You to read man 
powerd to get all the details. 


POWErC Tlage="—1, 85 =F 60 -—p 100” 
Now we have powerd(8) up and running scaling our processor 
frequency, to get current values that powerd(8) pickS up you 


need to type this: 


box? sysctl dev.cpu.0.freq levels 
dev.cpu.0.freq levels: 2000/31000 1750/27125 1600/22000 


Listing 1. Setting lowest frequency 


box# sysctl dev.cpu.0.freg 
dev.cou.0-treq: 150 

box# sysctl debug.cpufregq.lowest 
debug.cpufreq.lowest: 0 

box# sysctl debug.cpufreg. lowest=450 
debug.cpufregq.lowest: 0 -> 450 
box# /etc/rc.d/powerd restart 
Stopping powerd. 

Starting powerd. 

box# sysctl dev.cpu.0.freg 
dev.cpu.0.freq: 450 

box# 
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1400/19250 1200/13000 1050/11375 900/ 

9750 750/8125 600/6500 450/4875 300/ 

3250 L50/ 1625 

box# =o KOU CpU ClO big Z2003—Iil-O8- 3712324, 000000000 —0500 
ri Kerimcpu sc seZ008— Ti 0e Oss. 13 CO0O00000 —0200 

Of course we can disable powerd(8) GNd | e@@ -131,12 +131,16 e@e@ 

set the frequency that we want to use DRIVER MODULE (cpufreg, cpu, cpufreq driver, cpufreq dc, 0, 0); 

manually, like that: 


Listing 2. Patch that enables setting highest frequency 


Sea mere ei lowest reg, 
box# /etc/rc.d/powerd stop PONEGHELUe aLiaie ef highest freq; 
Stopping powerd. Sra ele aenie Ci verbose, 
box# sysctl dev.cpu.0.freq=450 TUNAB ity INE ( “debug. courreq lowest”, «cr lowest freq) 7 
dev.cpu.0.freq: 2000 -> 450 TIUNABIE IME Gidebug epurreq. Wighest , Ger nighes re, freq); 
box# TUNABIE: INE “debug. cpurreq- verbose , Gcr verbose); 
Soc lh) NODE ( debug, OLD AUTO, cpucreg, ClLELAG RD, NULL, “epulkmeg 


To SuM Up, cpufreq(4) kernel module | debugging") ; 


allows us to set other then default steps SYSCTL INT( debug cpufreg, OID AUTO, lowest, CTLFLAG RW, &cf lowest freq, 
for our CPU and powerd(s) iS daemon | i, 
that agutomatically sets best step based "Don't provide levels below this frequency."); 


on the current system load to save | +syscTL INT( debug cpufreq, OID AUTO, highest, CTLFLAG RW, &cf highest_ 
maximum power EEed; ly 


ae "Don't provide levels above this frequency."); 
Setting Lowest Frequency SYeCtl) INT ((debuq Gputreq, OD AUTO, verbose, CIRNIAG RW, set verbose, 1, 
We can also set minimal step that "Print verbose debugging messages") ; 


we want to use with powerd(8) We 
will have to use sysct1(8) MIB called | e@ -295,6 +299,14 e@@ 


debug.cpufreq.lowest. We can _ also Goro ou, 

set that up in the /boot/loader.conf to } 

make it permanent after reboot, but we 

can also change it on running system, + /* Reject levels that are above our specified threshold. */ 

you will only have to restart powerd (8) to ae if (cf highest freq > 0 && level->total_set.freq > cf highest freq) 

make it know the new lowest frequency | { 

setting: see Listing 1. + CF DEBUG ("rejecting freq %d, greater than %d limit\n", 
ievel— > Pou Sere treq Cr simghesir (re req)ry 

Setting Highest Frequency + error = EINVAL; 

Some laptops get little too hot when | + goto out; 

running at maximum avialable speed for | + } 

their processor, alsO power consumption | + 

grows as we use the top steps, by default / Wie alread seni level \teteret iri, 

FreeBSD does not offer d sysct1(8) MIB if (CPUPREO (CMP (se=>curr level total) set.treg, levell—>total set.freq)) { 

for that, but patch submited by Boris CF DEBUG("skipping freq %d, same as current level %d\n", 

Kochergin allows us to set also the | @@ -617,8 +629,13 @e@ 

highest step that powera(s) see Listing continue; 

2. 

To apply this patch you will need to 

do these simple steps: - /* Skip levels that have a frequency that is too low. */ 
a gf (lev> coral escrstred < (cr Plovesty reed) — 

box# cd /usr/src/sys/kern + fe 

box# patch < /path/to/patch % * Skip levels that have a frequency that is too low or too 

box# + vam igo) alle 
+ oy 

Now you will have to recompile your | + if (lev->total_set.freq < cf lowest freq || 

kernel (or just the module if you do not | + (cf highest freq > 0 && 

have cpufreg (4) compiled in), Official + lev->total_set.freq > cf highest freq)) { 

FreeBSD Handbook will guide you thru sc->all_count--; 

this process efficently. After reboot or continue; 


reloading cpufreq(4) module you can 
now use new sysct1(8) MIB called 
debug. cpufreq.highest that you can USE 
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to limit the maximum step for powerd (8). 
Same as for the lowest setting the 
best place for making it permanent is 
the /boot/loader.conf file. After you 
have choosen your lowest and highest 
settings, avialable frequencies showed 
by dev.cpu.0.freq levels will be now 
limited to these settings: 


box# sysctl dev.cpu.0.freq levels 
1200/13000 
1050/11375 900/9750 750/8125 600/6500 
box# 


dev.cpu.0.treq levels: 


Below you can see a table that 
presents power consumption — of 
avialable CPU frequency steps from 
Intel T7300 processor, all measured 
using external wattmeter without battery 
inside the laptop, just on A/C. CPU was 
of course loaded to 100% using four 
precesses calculating this: 
999999999999; (see 


python (1) 
999999999999 ** 
Table 1). 

| believe that T20O0MHz seems the 
best maximum frequency to use on that 
specific CPU, all higher ones consume 
too much power | also measured 
idle power consumption, but even the 
difference between 150 and 2000 is 
marginal (8W) so only fully loaded power 
consumption is important. 


Using C-states 

We now know how *to_- select 
frequencies that we want to use on our 
CPU, now it’s time to select C-states, 
that offer various levels of sleeping our 
CPU (or exact cores) if they are idle 
for some period of time. Below is the 
table that lists C-states avialable for 


Table 1. Power consumption according to used CPU 
frequency 


laptop Power 
Consumption 


150 22W 


Table 2. C-states avialable for T7300 Intel CPU 


large 


no 100ns 30,00% 


no 160000ns = 2,00% 


T7300 Intel CPU, more recent versions 
from Montevina platform can have 
even more C-states with even deeper 
sleeping (see Table 2). 

To check which steps are supported 
and avialable on FreeBSD for your CPU 
run this command: 


boxy sysctl dév.ecpu.0.cx supported 
dev.cpu,0..Ce Supported: :Ci/1 C2/1 
C3757 

box# 


So in that case FreeBSD supports co to 
c3 States on 17300 CPU, you can get/set 
the lowest C-state for each core, you can 
set them that way: 

box# sysctl dev.cpu.0.cx lowest 
dev.cpu.0scx lowest: Cl 

box# sysctl dev.cpu.0.cx lowest=C3 
Gev.tpu.0.¢cx lowest, :-Cl => C3 
box# sysctl dev.cpu.1.cx lowest 
dev.cpuvi.cz lowest: Cl 

box# sysctl dev.cpu.1.cx lowest=C2 
Gdevetpu.l. «ck lowest: Cl => CZ 


box# 


There is a little catch that you need to 
know about using C-states, if you set all 
cores to highest C-states, C3 in mine 
case, your touchpad will have little lag 
before you will be able to use it (about 
1 second) which can be very annoying 
in the long term, the solution is to set 
one core to C-state that offers rather 
low latency to wake up the core, C2 to 
be precise and all other cores can be 
set to use the lowest possible C-state 
to save as much power as possible. To 
make these settings permanent use as 
usual the /boot/loader.conf file. You can 
also display C-states usage statistics per 
core like that: 
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STATE | EXEC | WAKE UP PLATFORM VOLTAGE | CACHE | LOSS OF 
CONTEXT 


normal 


normal 


no I/O 


nol/O+nosnoop C4 VID yes 


normal 


C6_VID L2=O0KB yes 


box# # sysctl dev.cpu.0.cx usage 
dev .cpu.0.cxe usage: 0.006 0.04% 99.95% 
box# sysctl dev.cpu.1.cx usage 
dev.cpu.l.cx usage: 0.00% 100.005 
0.00% 


box# 


Other Settings 

You can also lower the kernel’s timer 
frequency by changing the sysct1 (8) 
MIB named kern.hz from the default 
1000 to 100, this can be done only 
at boot time, so you need to place 
kern.hz=100 line iN /boot/loader.conf 
and reboot. It is also planned in future 
FreeBSD versions to make 100 the 
default value, but we will not see that 
until 8.0-RELEASE propably. Other thing 
you can do, that is not really related to 
CPU is mounting all your filesystems 
with noatime option. 

Now several words to AMD 
precessors owners, FreeBSD _ also 
Supports frequency scaling on AMD 
CPUs with CoolnQuiet, the AMD's 
implementation for frequency scaling. It 
works the same way as we have used it 
on Intel CPUs in this article. 

and that is all about scaling 
frequency on your CPU if you run 
FreeBSD operating system, hope you will 
find is useful. 
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LDAP 


Authentication on 
OpenBSD Boxes 


Nicolas Greneche 


This article will focus on a remote user / password database (LDAP) where passwords 
are stored in a hashed form (SSHA). Only client side aspect will be discussed on our 


favorite operating system: OpenBSD. 


user directory is a user database distributed on the network. 

One of the very first directories NIS (Network Information 
Service), was implemented by SUN. NIS is composed of two 
programs: ypserv and ypbind (yp prefix stands for yellow page, 
a synonym of NIS). Yoserv is the server part of NIS. It is used to 
share user information (also called maps) across the network. 
Yobind is installed on clients. This program connects ypserv 
to get user information on clients. It has worked perfectly for 
years but many drawbacks have arisen: 


maps are transferred in plain text on the network 


ypserv does not require any authentication of ypbind to - 


push maps 


password hashes were exposed on maps. A single ypcat - 


passwd” piped in john the ripper and the show would 
begin. Some (relatively) secure implementation of NIS (i.e. 
NIS+) hide password hashes 

NIS relies on RPC (Remote Procedure Call). Yobind asks 
Q program referred to as portmapper to connect ypserv. 
Portmapper replies to yobind with a random port number 
used. Ypbind connects on this port to get maps. This is a 
nightmare for firewalls 

Information on users are limited by UNIX information. Any 
extra information must be added in GECOS field which is 
not very convenient. 


Thankfully, LDAP has arrived! 


LDAP and authentication basics 

LDAP (Lightweight Directory Access Protocol) is a massively 
used protocol to store users information. This protocol is 
implemented in OpenLDAP. a directory software available on 
every operating system’s package manager A LDAP directory 
may contains objects (users, groups, amd maps, sudoers, DNS 


zones, etc.) defined as schemas (collection of attributes for an 
object) and stored in a database backend (ie, BerkleyDB). A 
users LDAP record contains his login, uid, gid, GECOS etc. Each 
UNIX user account is defined as a posixAccount class. The 
process running on LDAP server is called slapd and is binded 
on port 389 (plain/start tis) or 636 (ssi). Our configuration 
will rely on start_t1s to Secure connections (authentication of 
the server against clients and crypted transactions). 

Authentication is the process of proving your identity. 
OpenLDAP handles authentication in two ways: 


The simple authentication: password is stored in users 
LDAP record in a hashed form (MD5, SHA1, SSHA, etc.) 
SASL (Simple Authentication and Security Layer): a layer to 
plug various authentication methods (such as Kerberos) 
to OpenLDAP 


The major benefit of using SASL is that you do not store 
any authentication information in your directory. Storing 
passwords in a directory may be a non issue for many 
sysadmins. The drawback is that every application on 
your network should know how to deal with your external 
authentication method. Moreover, LDAP authentication is 
available in many applications and a very effective overlay 
is implemented in OpenLDAP (ppolicy) to handle passwords 
strength and aging. 


Prerequisites 

lam supposing that you have a running OpenLDAP server using 
start tls on your network. Anonymous bindings are allowed. 
Slapd configuration is out of the scope of this article. On the 
client side, some steps should be achieved before using LDAP 
authentication on an OpenBSD box. First, let’s install the client 
part of OpenLDAP: 


BSD 3/2009 


# export PKG PATH=ftp:// 
ftp.openbsd.org/pub/OpenBSD/4.4/ 
packages/i386 

# pkg add openldap-client 


Lightweight Directory Access Protocol se 


# pkg add login ldap 


BSD Auth configuration is done trough 
/etc/login.conf file. This file lists the 


configuration of all available login 
classes for users. Each user account has 
a login class. For LDAP authentication, an 
extra class must be added to login. conf. 


This package provides two useful things: | Listing 1. /etc/openidap/Idap.conf 
Headers to compile ypldap (see 
below). 

Tools to manage LDAP server 
(ldapsearch, ldapadd, ldapmodify, etc.) 


BASE dc=example, dc=com 

URI ldap://ldapserver.example.com 

TLS CACERT /etc/openldap/ssl/cacert.pem 
Tihs REOCER IT demand 

Sole Stakes ells 

To configure this package, edit /etc/ 
openldap/ldap.conf: S€@ Listing 1 and 
Table 1. This file is given as a sample. 
Feel free to modify it to fit your needs. 
Configuration should be checked by an 
ldapsearch: 


scope sub 


bind policy sois 
Listing 2. /etc/login.conf 


dap. \ 
:auth=-ldap:\ 
# ldapsearch -x -ZZ :x-ldap-server=ldapserver.example.com,,starttls:\ 
Pehieii=/pim,/ eelae < 
This command displays — publicly 
accessible LDAP records of our slapd 
server using a simple authentication (-x) 
as an anonymous user (no binddn) with 


start tls enabled and mandatory (-zz). 


:x-ldap-basedn=dc=example, dc=com: \ 

:x-ldap-filter=(& (objectclass=posixAccount) (uid=%u) ):\ 
:x-ldap-groupdn=ou=groups, dc=example, dc=com: \ 
:x-ldap-groupfilter=(& (objectClass=posixGroup) (memberUid=%u) ):\ 
tEC-Cetaule: 


Authentication 

process in OpenBSD 

To perform authentication OpenBSD relies 
on BSD authentication (also known as 
BSD Auth) framework. BSD Auth performs 
authentication by executing scripts or 
programs as separate processes from 
the one requiring the authentication. These 
two processes speak trough IPC (Inter 
Process Communication). This provides 
privilege separation: each process runs as 
an identity which has only the necessary 
privileges on the system. This behaviour 
has significant security benefits, notably 


Listing 3. List of commands to cvs openbsd sources 


export CVSROOT="anoncvs@anoncvs.de.openbsd.org:/cvs" 
ced fusr && cvs checkout =P sre 


Ca /Ust/shC/Ushssbiny yoldap 


[Ss Ss ws 


make depend && make && make install 


Table 1. /etc/openidap/Idap.conf attributes 


BASE This is the root of your LDAP directory. 


TLS_CACERT Path to CA (Certificate Authority) certificate. This certficate is mandatory to check the 
improved fail-safeness of — software, signature of the certificate supplied by the server. 


and robustness. against raicious ond SSSRSR Spee Wit eee enh See TLS NT 


accidental software bugs. ss] Method of ciphering transactions between client and slapd (none, ssl or start_tls). 


or oe manetioanon Metuie) Thig S2Re Levelofrecursion of LOAPrequests, 


(Pluggable Authentication Module). This ere ee 
software comes from the Linux world = : 
and is available on FreeBSD. Modules 
providing authentication are dynamically 
linked into the requesting process. This 
method is considered to be more flexible 
than BSD Auth but does not provide 
privilege separation without additional 
configuration. The same remark applies 
to NSS (Name Switching Service): that’s 
why it is not implemented in OpenBSD. 

The LDAP login component is 
referred to as login_Idap on OpenBSD. 
To install it: 


Table 2. /etc/login.conf attributes 


auth Name of login class. 


Force shell at login (override current shell). Bash is not available on OpenBSD 
base system (ksh should be used instead). 


x-ldap-filter Filter used to retreive posixAccount objects from the LDAP directory. 


x-ldap-groupfilter Filter used to retreive posixGroup objects from the LDAP directory. 
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Edit /etc/login.conf and append: see 
Listing 2 and Table 2. 


Import users 

User importation can be accomplished in 
two ways. OpenBSD does not have a NSS 
(Name Switching Service) mechanism like 
Linux or FreeBSD. Prior to OpenBSD 4.4, all 
accounts (and groups) had to be recreated 
on the OpenBSD box with idap as the login 
class. Users had to be created this way: 


# /usr/sbin/useradd -d /home/toto -u 
1002 —g 1002 —L. ldap toto 
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This way, a user can login to OpenBSD 
box with his LDAP password. A second 
method appeared in OpenBSD 4.4 and 
upcomings ones. This method relies on 
ypldap: a new program that provides 
yellow page (yp) maps to OpenBSD 
using ag LDAP backend. The first step is 
to compile ypldap. Upcomings versions 
of OpenBSD will include a binary form 
of yoldap in base system. To compile it, 
grab the cvs of the latest OpenBSD 4.4 
source tree: see Listing 3. 

If compilation process complains 
about missing idap.h, check if openidap- 


client is installed. The next step is to 
configure ypldap connection to your 
LDAP server. This can be done through 
/etc/ypldap.conf: see Listing 4. 

This file specifies a name _ for 
the domain (to stay compliant with 
ypbind), maps supplied (provide map), 
LDAP servers FODN (directory), and 
attribute mapping for this directory 
(i.e., uid on map stands for uidNumber 
in LDAP). 

Like NIS, you must add the following 
lines to passwd and group files: (see 
Listing 5). 


Listing 4. /etc/ypldap.conf 


domain localdomain 


interval 60 


provide map passwd.byname 
provide map passwd.byuid 


provide map group.byname 


provide map group.bygid 


directory ldapserver.example.com { 


basedn "dc=example=com" 


actribure name maps to “uid” 
fixed attribute passwd "*" 
attribute uid maps to "uidNumber" 
attribute gid maps to "gidNumber" 


aceribute Gecos maps co “en” 


fixed attribute shell “/bin/ksh" 
fixed attribute change "0" 


fixed attribute expire "0" 


fixed attribute class "ldap" 


attribute groupname maps to "cn" 


ixed akeribure Grouppasswa "=" 


list groupmembers maps to "memberUid" 


\ 


passwd filter "(objectClass=posixAccount) " 


attribute home maps to "homeDirectory" 


group filter "(objJectClass=posixGroup) " 


attribute groupgid maps to "gidNumber" 


applying CcConligqurartion 

connecting to directories 
Erving Cdarecrory: 
starting directory update 


starting directory update 


updates are over, 


flattening trees 


pushing lame: users 10007 1000s ldap: 1201ls 0: USER 1: 
/home/userl:/bin/ksh 


pushing lane: “userl:-<:1000: 


Le 


Listing 6. /etc/rc 


if [| X*domainname- 
#if [ -d /var/yp/° domainname’ J]; then 
# # YP server capabilities needed... 


# echo =-n ' ypserv'; 


S{ypserv flags} 


# #eECho =n ' yoxtrd’ ; ypxfrd 
#fi 

fit | =a /var/yp/binding |; ehen 

# # YP client capabilities needed... 

# echo =n ' ypbind’; ypbind 
#fi 


Listing 7. /etc/rc.local 


A Cre Ge 6 


cleaning up trees now 


'= X |]; then 


ypserv 


Listing 5. List of commands to permit users appending to local base 
(like in NIS). All lines starting with ‘#’ are commands. ypldap -dv is also a 
command and the trailing lines are its output. 


#Vvipw 
deste oe 2 / aay / kesh 
Fecho: “og: >> /etec/ group 


Then you can check if yoldap works: 
# ypldap -dv 


COMigquraklon Starring 


# Add your local startup actions here. 


22° | X"S{yoldap lags) {= x" NO" |; chen 

echo. =n yoldap: 

/use/sbin/ yoldap s{ypldap flags) 1> /dev/null «© 
sleep 10 


fi 


af [| -d /var/yp/binding |]; then 
# YP client capabilities needed... 
DCG! Shy \qolonligve ypbind 


fi 
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This example shows how user1 (and 
his user private group) is pushed from 
the LDAP directory to maps. The last step 
is to enable ypbind. You must specify a 
domainname (the same that the one 
in ypldap.conf) and launch portmapper 
before running ypbind: 


# echo localdomain > /etc/ 
defaultdomain 

# portmap 

# ypbind 


Now you can type in getent 
and getent group to check if all your 
accounts and group are in maps. If not, 
happy debugging! 


passwd 


Automation at startup 
Automation of the whole process is a 
bit tricky. First you must disable default 


Listing 8. /etc/Idap/slapd.conf 


# include the schema 
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execution of all yo programs such as 
ypserv, ypbind and ypxfrd. Yoserv and 
ypxfrd are of no use here. Ypbind must 
be disabled because if not, it tries to 
start before ypldap (or ypbind relies on 
ypldap). Edit /etc/rc: (see Listing 6). 

Next, add startup process for ypldap 
and ypbind. This can be done in /etc/ 
rc.local: (see Listing 7). The sleep 10 
after ypldap startup is important because 
it must be started and up before ypbind. 
Finally, edit /etc/rc.conflocal to enable 
services startup: 


portmap=YES 
ypldap_ flags="" 


Yoldap provides a flexible and secure 
way to handle users from LDAP in 
OpenBSD. Integration of ypldap will be 
complete in version 4.5. 


include /usr/share/openldap/schema/ppolicy.schema 


eeceeal 

# load policy module 
moduleload ppolicy.la 
[eres | 

# enable ppolicy overlay 
overlay ppolicy 


# polacy TOcaraon 


ppolvey detauilt *cn-nardened, ou—pe luetes, de—example,.dc—com 


Listing 9. hardened_policy.|dif 


# basic ldap entry 


dn: cn=hardened, ou=policies, dc=example, dc=com 


en. Mamdened 
objectClass: pwdPolicy 
objectClass: organizationalRole 
# name of the password attribute 
pwdAttribute: userPassword 
# password aging 
pwdMaxAge: 604800 

# minimum size of 8 characters 
pwdMinLength: 8 

# 4 passwords in history 
pwdInHistory: 

# SELICE <CONErOL (Of password Qualicy 
pwdCheckQuality: 2 

# password can be locked 


pwdLockout: TRUE 


# permanent lockout of password after 3 attempts 


pwdMaxFailure: 3 


pwdLockoutDuration: 0 
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Hardening 
and aging passwords 
There are two ways of hardening passwords 
in an operating system: server side and client 
side. On the client side, password renewal 
procedure relies on local mechanisms like 
PAM (ie, cracklib). The password policy must 
be set on each computer of your network. 
With OpenLDAP it became possible to 
centralize on the server the password policy. 
The overlay ppolicy has been designed 
for this purpose. All attributes of this policy 
criteria are defined in the pwaPolicy object 
(located in the ppolicyschema file on my 
Debian OpenLDAP server). This overlay 
enables password composition restriction 
and aging. The configuration is stored in 
your LDAP database backend. To enable 
it on server side just add the following to 
slapd.conf as in Listing 8. 

The following LDAP entry can be 
added to server directory as in Listing 9. 

You can specify as many password 
policies as you need. To bind a user 
with a non-default policy password, just 
add a pwdPolicySubentry with the dn of 
your custom password policy. An external 
password checker can be plugged into 
each policy by adding the objectClass 
to a_ given policy. 
This overlay implements an IETF draft 
Password Policy for LDAP Directories. As 
a consequence, this overlay is very likely 
to become part of the LDAP standard. This 
way, ppolicy operates on passwords used 
for LDAP bindings. Many applications use 
LDAP binding as their authentication. 


pwdPolicyChecker 


Conclusions 

This article will be a great help for 
those who want to start with LDAP on 
OpenBsbD. A proper way of retreiving and 
authenticating users has been awaited for 
months (or years!!). Security issues with the 
classical PAM and NSS couple prevented 
them to be used in OpenBSD. Now, with 
ypldap and iogin ldap package, you can 
perform authentication securely. 
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and Snort Intrusion 


Svetoslav P. Chukov 


FreeBSD 


Detection System 


What is an intrusion detection system? An Intrusion Detection System or IDS is a 
software and/or hardware system designed to detect unauthorized attempts to access 
computer systems through a network such as the Internet. 


hese attempts can be part of hackers attack or just 

unwanted network activity An IDS cannot directly 

detect attacks within encrypted network _ traffic. 

However, it can alert the network administrator to 
potential problems within that traffic. 

An intrusion detection system can detect many attacks 
that can compromise the security and trust of a computer 
system. These attacks target vulnerable services to take 
over host computers. In order to achieve that they may try 
brute force attacks to break passwords, or use viruses, Trojan 
horses, and worms to trick users into surrendering sensitive 
information. 

An IDS is composed of several components: Sensors 
which detect security events, a Console to monitor events, 
send alerts and control the sensors, and a central Engine that 
records events logged by the sensors. Intrusion Detection 
Systems can use several output engines like database, log 
files, pipes or network sockets. The last method is especially 
useful if you have multiple sites and want to track activity at a 
central location. 

There are several ways to categorize systems depending 
on the type and location of the sensors and the methodology 
used by the engine to generate alerts. In this article, we will 
focus on one of these types — The Network Intrusion Detection 
System. 

A network intrusion detection system (NIDS) is an 
intrusion detection system that tries to detect malicious 
activity such as denial of service attacks; port scans or 


attempts to crack into computers by monitoring network - 


traffic. 


The NIDS does this by reading all the incoming packets - 


and trying to match the behavior against a signature. For 
example, ag port scan signature is a large number of TCP 
connections across many ports on several IP addresses. 


A NIDS can be used not only for inspecting the incoming 
and outgoing network traffic. Often local traffic may indicate 
an ongoing intrusion as well. 

One of the important features of the network intrusion 
detection systems is that they can communicate with other 
systems. They can, for example, update blacklists of suspected 
IP addresses or alter firewall rules to block some specific 
traffic. One such system is Snort. 


Basic overview of Snort and where we can use it. 
Snort is a free and open source network intrusion prevention 
system (NIPS) and network intrusion detection system 
(NIDS) capable of performing packet logging and real-time 
traffic analysis on IP networks. 

Snort provides uses tools such as protocol analysis 
and content inspection and matching to analyze and detect 
hacking activity. Some of these tools also can be used to 
detect and block attacks and probes, such as buffer overflows, 
stealth port scans, web application attacks, SMB probes, or 
OS fingerprinting attempts. The software can also be used for 
intrusion prevention by dropping attacks as they are taking 
place. 

There are several operating modes that are available in 
Snort. It can be configured to run in the following modes: 


Sniffer mode. In this mode, Snort simply reads the 
packets off of the network and displays them for you on 
the console. 

Packet Logger mode. This mode logs the packets to 
disk. 

Network Intrusion Detection System (NIDS) mode. This 
mode analyzes network traffic for matches against a 
user-defined rule set and performs defensive actions 
based upon what it detects. 
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FreeBSD and Snort Intrusion Detection System 


Listing 1a. Output of running Snort 
Inspection Type: STATELESS 
Detect Proxy Usage: NO 
(ust) leecally Grc/ snort, 


Running in IDS mode ITS Unicode Map Filename: 


unicode.map 


--== Initializing Snort ==-- IIS Unicode Map Codepage: 1252 
intra zing OuEpue, Pliagams | DEFAULT SERVER CONFIG: 
Initializing Preprocessors! Server profile: All 
Iigalne sleillal shaver | edlitrefalsals|) Pores, oO, c0e0 Sle 
Parsing Rules file /usr/local/etc/snort/snort.conf Flow Depth: 300 
POLnvet diiE POR seGenlecye [ee Oemt Max Chunk Length: 500000 
POoLevar SEE LECODE SPORTS” (delined =: [Os 72) el 65535] Max Header Field Length: 0 
PoLEvar “ORACLE (PORTS -delimed =: feks2i 7) Inspect Pipeline Requests: YES 


Frag3 global config: 
65526 


URI Discovery Strict Mode: NO 


Max rags: Allow Proxy Usage: NO 


Fragment memory cap: 4194304 bytes Disable Alerting: NO 


Frag3 engine config: Oversize Dir Length: 500 


Targer-based policy: FIRST Only inspect URT: NO 


Fragment timeout: 60 seconds Asciis YES aleres NO 


ieeveuil=siae) unlig ciel. 5 il IDioWiodic Dicicevolaliae)e das) eilbeice 2 cS 


Bragmemc tte wiiamine (NOt USSG) 2.5 oU EmMeOding =) VES allen. VES 


Fragment Problems: 1 Bare Byte: YES alert: YES 
Stream5 global config: Base36? OFF 

tvack ICP sessions: ACTIVE Ui 3: One 

Max TCP sessions: 8192 DiS Umuecodes.: Vis alern sy hs 


Memcap (for reassembly packet storage): 8388608 Multiple Slash: YES alerte: NO 
irack UDP sessions: INACTIVE ibe Backsilasms Vis. aleres No 
Track ICMP sessions: INACTIVE Directory Traversal: YES alert: NO 


Sbreans ICP Po lia va comtiig: Web Root Traversal: YES alert: YES 


Reassembly Policy: FIRST Apache WhiteSpace: YES alert: NO 


Timeout: 30 seconds LiS Delimicere WaS alerce NC 


Muarcrastat lies | oil IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 


CoEeloms:: Non-RFC Compliant Characters: NONE 


Statice Hlushpoint: Gizes: Vis Whitespace Characters: 0x09 0x0b Ox0c 0Ox0d 


Reassembly Ports: Eee decode varcuinienus. 


Zl client (POOrEp Ea mr) Pores: to decode REC on: ill 32771 

Zo Cl temes (HOO pimnn tc) ellene iEmaqmenks. NAG TIE 

Zo eae mie (HOO up rasime) elle re awe haagmenis. sAC ii VE 

AZ Olvene. (EOCEp rim cs) leer incomplete. Ac kinyk 

26) (eo Wacigie ((lereiejorestione) client multiple; requesins. AG iil Vi 

oO (clvent (POoorpramt) Portscan Detection Coniig: 

IO client (Foor print) DetecCemereorccolc: | LO UDE ICME le 

iii -cilrent. (Footprint) Derece Scan Mype, ~pOrrecam porkrsweep decoy porescan 
So een (F OOt pa ane) distributed portscan 

36 Clventks (hooror ine) Sensitivity Level: Low 

1237 “ciwvenk) FOCr print) Memcap (in bytes): 10000000 

Ike 2) Seikatey gies (Wioleneenaatialie,) Number of Nodes: So 200 

143 ‘client (Footprint) 

445 client (Footprint) Tagged Packet Limit: 256 

Sls client (Footorant) loading dynamic engine /usr,/ locally lib/snort/ 

Sl4 client (Footprint) dynamicengine/libsf engine.so... done 

1433 ‘client (Footprint) Loading all dynamic preprocessor libs from /usr/local/ 
157i client (Foorprime) lib/snort/dynamicpreprocessor/... 

ZADI*GLiLent. “(HOOEOrame) Loading dynamic preprocessor library /usr/local/lib/ 
8306 Client (Rootprint) snort/dynamicpreprocessor//lib sfdynamic preprocessor _ 


HEtpInNSpect Comiig: 


GLOBAL CONFIG 


Max Pipeline Requests: 
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example.so... done 
Loading dynamic preprocessor library /usr/local/lib/ 


snort/dynamicpreprocessor//libsf dcerpc preproc.so... 
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Listing 1b. Output of running Snort 


done 
Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf dns preproc.so... done 
Loading dynamic preprocessor library /usr/local/ 
lib/snort/dynamicpreprocessor//libsf ftptelnet_ 
preproc.so... done 
Loading dynamic preprocessor library /usr/local/lib/ 
SnOrL/ dynamicoreprocessor// libsh Smtp preproc.so,... 
done 
Loading dynamic preprocessor library /usr/local/lib/ 
snort/dynamicpreprocessor//libsf ssh preproc.so... done 
Loading dynamic preprocessor library /usr/local/lib/ 
SnOrt/dynamicpreprocessor,// libst ssl) preproc.so..% done 
Finished Loading all dynamic preprocessor libs from 
/usr/local/lib/snort/dynamicpreprocessor/ 
FTPTelnet Config: 
GLOBAL CONFIG 
Inspection Type: stateful 
Cheek £or Encrypted Trattic: YES alert: YES 
Continue to check encrypted data: NO 
TE ENE CONFIG: 
POKES. 25 
Are You There Threshold: 200 
Normalize: YES 
Detect Anomalies: NO 
PrP CONn RG. 
FTP Server: default 
POmus a2 i 
Check for Telnet Cmds: YES alert: YES 
Identify open data channels: YES 
FTP Client: default 
Check for Bounce Attacks: YES alert: YES 
Check for Telnet Cmds: YES alert: YES 


Max Response Length: 256 


SME Coma: 

Pores: 25 oo) ood 

Inspection Type: Stateful 

Normalize: EXPN RCPT VRFY 

Ionere Dara: No 

lonere Tis iDaka; Ne 

Ignore SMTP Alerts: No 

Max Command Line Length: Unlimited 

Max Specific Command Line Length: 
BIRN: 500 EXPN:255 BERO+500 HELP: 500 MATIF260 
REPT S300 VRE 2255 

Max Header Line Length: Unlimited 

Max Response Line Length: Unlimited 

X-Link2State Alert: Yes 

Drop on X-Link2State Alert: No 


Alert on commands: None 


DCE/RPC Decoder config: 
Autodetect ports ENABLED 


SMB fragmentation ENABLED 


DCE/RPC fragmentation ENABLED 
Max Frag Size: 3000 bytes 
Memcap: 100000 KB 


Alert if memcap exceeded DISABLED 


DNS Comic: 
DNS Client rdata txt Overflow Alert: ACTIVE 
Obsolete DNS RR Types Alert: INACTIVE 
Experimental DNS RR Types Alert: INACTIVE 
FPOrno iss 

SSPE comic: 


Encrypted packets: not inspected 


OCS F 
443 465 563 636 989 
992 993 994 995 


t+++Httt+ttt++tt+++tt+++tt++ttt++ttt+t+tt+++tt+ttt++tt+4+tt+ 
ling iii eabeiibakyAahig ie je rabWRes telatebibigtsrarec 
1 Snort rules read 
1 detection rules 
O decoder rules 
O preprocessor rules 
1 Option Chains linked into 1 Chain Headers 
O Dynamic rules 


FEFHEFFFAFFEFEFFFHEFFEFEFEFFFHEFEFHEFFFHEFEF HAASE HEE E+E E44 


(= (Rte Por: MCOuUNES| = === === Sea 
| rep udp iemp a 

| sre 0 0 0 0 

| dst 0 0 0 0 

| any al 0 0 0 

| nc al @) @) @) 

| std 0 0 0 0 

+ oS SSS SS Ss Se SS SS SSS Set SS Se SS SS SS SS SS SS SS OS re Ss es Ss SS ar ar Se Se 
ee ae [(Phne SinelGding=Contic)| =—=— aaa — = 
| memory-cap iO495 / Ge byices 

aaa ee eae oe [earesholdung-giebal |i=--==---—>- 
| none 

fs [ica 8s) ote xe lalh aie jira ess) oa as ll 
| none 

ee eee eee PSU Pie S satom eee 
| none 


Rule application order: ackivation—Sdynamic—>pass—-drop— 
Palerr—-log 

Log directory = /var/log/snort/ 

Verifying Preprocessor Configurations! 


O cCitevon Sil2 fowoilts ian use. 
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Listing 1c. Output of running Snort 


*x* interface device lookup found: em0 Breakdown by protocol (includes rebuilt packets): 


Seas feels (0 (0.000%) 
Hilndise = 0 (0.000%) 
Initializing Network Interface em0 VLAN: 0 (020003) 
Decoding Ethernet on interface em0 LeVor 0 (OOOO) 
LEG, lcs (0) (0.000%) 
[ Port Based Pattern Matching Memory ] IPGopEeSs 0 (0.000%) 
Se LNG VENER Sy See aie (Mg MelE yim SDM (UMS Uf Pd a a Naa nh TPodase:” 0 (0.000%) 
SSS ooSs PAO (0.000%) 
| Instances : 4 pPadase: 0 (0.000%) 
| Patterns 5 169 TCP Ge OC (0.000%) 
| Pattern Chars 2.4) UDP 62 © (OOOC ) 
| Num States p25 TCMPG: 0 (O27 0007) 
| Num Macehy staces 3769 EEME-1Pe 0 (0.000%) 
| Memory : 10.83Kbytes AUS 2h) (0.000%) 
| Patterns : i Os. IDES 18) (0.000%) 
| Mabehe ists : ee 2k LEMP: oC (O20C0.) 
| Transitions : on Ole EGP aarsc 0 (0.000%) 
jp SS SS SS SSS SSS SSS UDPduse= 70 (0.000%) 
tCMPdi ss) 0 COZC0I0s } 
--== Initialization Complete ==-- FRAG: 0 (0.000%) 
FRAG 6: 0 (0.000%) 
oe His SONG ie | ARP: 0 (0.000%) 
Oars Version 2.8.2.1 (Build 16) FreeBSD EAPOL: 0 (0) O100%) 
ee By Martin Roesch & The Snort Team: http: EB PE OOP s= GC (O77 000s) 
//www.snort.org/team.html IPX: 0 (0.000%) 
(CG) Copyright, 1996-2003 Scurcetire Ines, et OTHER: 0 (0.000%) 
al. DISCARD: 0 (OOOO) 
Usame PeRE versuons. 7.7 2003-05-07 invChkSum: © (O27 O00) 
SoG, les 0 (0.000%) 
Rules Engine: Sf SNORT DETECTTON ENGINE So 1G 20 (0.000%) 

Version i.e  <Build 14> Towards | 0 


Preproceseor Objecer: ss sole “Version 1.0 


<Build 1> 0 0 SSS SSS SSS SSS SSS SSS 
Preprocessor Ob Jecrs) Sh oon “Verarom 1. i AGETOM «Seas = 
—Saeel ie ALERTS: 0 
Preprocessor Obi eer. oh (oMiP “Versmom dai LOGGED: 0 
eyo lel ye PASSED? 0 
PI OeOSCSS MO CloyeCws Sle MEINEM WeieSaOl, 0 Ste a SS SS a a SS a Ss == 


Tei Bua id, 10- 


Preprocessor Objeers oH DNs  Versvon iii Peas. 9s waite See Ss 
<leyblal Wel 23 Total Fragments: 0 
Preprocessor (Ob jeer se DCHRPe. V Version, Aral Frags Reassembled: 0 
<Build 4> Daisesnaess (0) 
Preprocessor Obj ece: (ss Dynamic Example Memory Faults: 0 
Preprocessor Version 1.0 “<Burld i> Timeouts: 0 
Not Using PAP FRAMES Overlaps.. 0 
An Ge ue ie side =o ital: Anomalies: 0 
SSS SS SSS SS SS SSS SSS SS SS SS SSS SSS SS SS SS SSS SS SS SS SS SS SSS SSE Alerts: 0 
Se FragTrackers Added: 0 
Packet Wire Totals: FragTrackers Dumped: 0 
Received: 0 FragTrackers Auto Freed: 0 
Analyzed: O (GOOG) Frag Nodes Inserted: 0 
Dropped: O40 000%) Frag Nodes Deleted: 0 
OWES pamcmme: O (0.000%) SRSSSSSS SSS SSS s SSS SS SSS SS SS SSS SSS SaaS aaa aa aa See a Sea aaa== 
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Preventive Medicine 

As hackers become more and more 
active, it is extremely important for a 
server to be up-to-date with appropriate 
security patches. Network — security 
depends on the strength of the weakest 
link. When a network has weak security in 
one segment of the network, regardless 
of whether just a small office or home 
LAN, then the machines in that network 
automatically become vulnerable. 

As a network administrator, in order to 
increase the security and stability of the 
network, | recommend putting up multiple 
barriers to reduce the risk of network 
penetration. An ounce of prevention is 
worth more than a pound of cure. 

So, what barriers do | recommend? 
First, in order to have a stable and secure 
operating system, 

| will demonstrate how to implement 
Snort using the FreeBSD operating system. 
It is easy to find “dry’ documentation how 
to use Snort, what its options are and 


Listing 1d. Output of running Snort 


Stream) Statistics = 
Total sessions: 
TCP sessions: 


UDP sessions: 


ICMP sessions: 


TCP Prunes: 


UDP Prunes: 


ICMP Prunes: 


TCP StreamTrackers Created: 


TCP StreamIrackers Deleted: 


TEL WiLiMTSourieS < 


TCP Overlaps: 

TCP Segments Queued: 
TCP Segments Released: 
MCP Rebuile Packers: 
TCP Segments Used: 

TCP Duscards: 


UDP Sessions Created: 


UDP Sessions Deleted: 


UDE WainiesouneS 


UDP Diiscaiwels < 


SRS) iS eS) eS eS) eS eS eS SS MS eG ie eS =e 1S, Fe es = 


Events: 


what that options mean. What is rare to 
encounter is documentation based on 
real world experience. 

An intrusion detection system like 
Snort is a good tool for protecting 
networks when itis setup properly. These 
systems are especially beneficial when 
is used in combination with optimized 
operating system like FreeBSD. FreeBSD 
is preferred choice for servers. with 
requirement for high reliability, such as 
firewalls, gateways or border machines 
accessible by internet. You can also use 
Snort to protect applications. If you know 
a particular service is vulnerable, Snort 
can be used to mask the application 
from attacks on that service. This is 
similar to patch on the wire technology 
used in high end security appliances. 

| wrote a server application that 
receives and sends data through a 
port to other clients in the network. The 
application had some known weak 
points. | setup Snort to sniff the traffic, 


SMO exal ta mG 


Run time prior to being shutdown was 3.14117 seconds 
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log a message and drop the packet 
if there was any attempt to exploit the 
application. This is just a small area 
where Snort can be useful. 

The combination of FreeBSD, its 
firewall, and Snort can be used for 
border machines where security is of 
high importance. For example with the 
server mentioned before. 3 days after 
the server started | analyzed the logs 
and found multiple attempts to subvert 
the network. The server was setup with 
SSH and the application. The server 
logged dozens of attempts to login with 
usernames “etc”, jack” and “root” user. 

Snort was configured to inspect the 
incoming packets. Then | checked the 
log file from time to time to collect new 
information about the IP addresses that 
“breached the line”. 

In another example, | setup pppoe 
to demonstrate the difficulty of internet 
service providers (ISP). | would advice 
any internet service providers to use Snort. 
Basically, ISP could just provide an internet 
connection to its customers. Unfortunately, 
there are a lot of customers that use the 
internet connection as a springboard for 
hacking, stealing passwords or some 
other illegal activity. So, in simple words, the 
ISP has very difficult job. 

The provider has to protect its 
customers from each other and protect 
their data. From one side the ISP 
provides service and from the other side 
this provider has to protection if it wants 
to keep its customers. 

Snort can be used to detect, stop, and 
report illegal activity and in that case it 
can make the ISP's life easier. This is just 
an example how the intrusion detection 
system like Snort can be useful. 


Installing and Using Snort 
We are at the point where | should show 
you how to get snort on you machine. 

To add Snort to your system, type the 
following command: 


pkg add snorcu-2.072.1 1.0bzZ 


That installed the snort on my system, 
you should check if you need some 
other packages to be installed, and it is 
different for every system, so if the pkg_ 
add program needs more packages you 
should install them as well. 

Then you can focus on your work 
with snort. Actually the work with it is very 


Listing 2. Logs 


[es | A Test 
[Prioricey 10] 
O27 23-13-53 759. 15544652 


KOs Les Oe Sle => 0. oO 


a2 9S 69:0 | 


Ans AnxS*~ Seq: UxlSs4r001 
DEP Opeaons (Cl) => Mss: 
[aly Mes SSO36o sO A ese 


(Priority: 0] 
O2/23=138233:59. 756180) 52 


WO2 16S Us Sle => 0 


REMAKES Seg: Ox lso4r002 
[ance 
Per rorindey = 0] 

O2/2e-e7 Se. 59. 768326 52 


[sO 99S 69: 0) ATesit 


OZ loess => 1020); 


SADA Seqe (Ona 54n 002 


[44> [is 99936920) | Ao Test 
[he teenie t = 104 

Oy Ze Woe 56250. 160542 a2 
OZ 6s 0 ls3128) =>. 1050 


**KDK**E Seq: Ox1554F25A 
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hog =" | 


sp4 20312: 3532 => S20:272Br:DAs3 type: 0xd00 Men:0xsc 


los olZ4 7? FCP Til o4 TOS 0x0 1Ns278 i token: 20. Dombken: 


Ack: OxA122F39R Win: 0x2000 TcpLen: 24 


1460 


ial 


Log 


SoA Os UZ soe => 8 Us2 BE DATs tEypes0x<200 Weni0x3¢ 


Ack: OxAIZ2F3Fl Win: OxZ2238 TepLlen: 20 


og. “| s= | 


soar 0; 233552 => 670s 2/ 2B sDA 3 tEypes0x<200 Ten s0x238E 


Ack: OxAILZ2F3F1l Win: OxZ238 Teplen: 20 


aval 


Tog 


PO4 20 Ie ysss2 => 8202272 BE2DA:S type? 0Ks00 arent 0x3 


22.15: 01247 Ter Tiie64 TOs:0x<0) 1De27874) tolhen:20- Dome: 


AGk OxAIZ2b3FPL™ Wim O0x2235. Tophen: 20 


2205261247 TCP Til: 64 Tes:0x0 TDsZ/e7z Telen:20 Domben: 


2.15 561247 TCe TiL=64 TOs:0x0 IDs2/e7s fplen:20 DombLen: 


640 


simple. There is a configuration file called 
snort.conf and several rules files. 

| have the configuration file in 
/usr/local/etc/snort/snort.conf and the 
rules are there also. So, all the files are 
available /usr/local/etc/snort directory. 
You can use them at any location that 
you want, this is not important. 


Let's play with Snort! 


Run Snort with the following command: 


snort -c /path-to-your-config-file -de 


-l /path-to-your-log-directory 


That will run snort with configuration 
file at YOUr path-to-your-config-file and 
log directory at 
directory. 

This is some example output that you 
should see(see Listing 1). 


/path-to-your-log- 


Summary. 
Snort is for you if: 


You have a FreeBSD server which is 
a border machine that is accessible 
from internet. 

You are ISP and you want to keep 
your network safe. 


You have some_ services _ that 
you want to protect against bug 
exploitation. 
You simply have a server that want 
to be secure. 


Probably many people are wondering 
for the exact reason to use FreeBSD 
over the other operating systems. 
Why FreeBSD, why not GNU/Linux for 
example? In the beginning | said some 
things about stability and security. | 
am not saying that the other operating 
systems are not secure and not stable 
but FreeBSD has proven itself as one of 
the top OSs. FreeBSD has optimal and 
effective support of TCP/IP network. This 
is a perfect platform for an IDS. One of 
the important things for such a system 
is the performance and the way how 
the OS handles the network packets. 
You can see that a slow system can not 
be very effective with a heavy network 
load. That is because all the packets 
have to traverse the rules of the IDS and 
that takes some time. The speed of the 
packet process drives the productivity 
of the IDS. This lowers the chance a 
“bad” packet will get in undetected. A 
clever and smart hacker can see that 
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you protect the network with Snort and 
probably can find a way to overcome the 
system. So, the performance needs to be 
at a very high level to reduce the chance 
that an intruder will take advantage of 
this by using a brute force attack. 

Against the hackers, any sign 
of weakness will be exactly where 
they attempt to attack. So, | would 
advice you to use only the strong and 
reliable combinations if you wish your 
machines and network to be safe and 
secure... 


D 
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Build An Embedded Video 
Web Server With NetBSD 
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Donald T. Hayford 


While it's safe to say that the recently developed USB video driver was built and tested using only a 
desktop “i386-compatible” machine, the beauty of NetBSD is that the same driver will work on any 
NetBSD-supported hardware. So grab your favorite embedded processor and let's try some video. 


etBSD is recognized among the different BSD’s 
for Supporting a wide variety of processors and 
single-board computers. Part of the reason for 
this is the underlying operating system design 
that abstracts away the specifics of the hardware interface, 
allowing high-level device drivers to work equally well for all 
processor configurations. According to David Chisnall, who 
wrote in NetBSD: Not Just for Toasters (NetBSD: Not Just for 
Toasters, David Chisnall): 

NetBSD has a well-deserved reputation for portability. Part 
of this reputation comes from the driver layer, which makes use 
of an abstraction layer known as the Modular Portability Layer 
(MPL). This layer enables a single driver to be easily used on 


all architectures by hiding details of exactly how the host talks {| 


to the hardware and dramatically reduces the amount of work 
needed to port it to a new architecture. 

In an earlier issue, for example, we added the audio device 
driver to the Linksys NSLU2 (Slug) ARM-based kernel in order 
to play music on a Slug (Play Music On Your Slug With NetBSD, 
Donald T. Hayford, BSD Magazine, Vol. 2, No. 1, 1/2008). I've 
also successfully added the NetBSD Bluetooth drivers to a 
NSLU2 kernel. In this article, we'll use the Slug and NetBSD to 
put together a small, embedded system that can serve video 
to a web browser or capture stop-action images using a UVC- 
compliant USB video camera. 


USB Video 

The USB Video Class (UVC) specification was developed 
by the USB Implementers Forum (htto://www.usb.org/) 
and is available at their website (See the Video Class 1.1 
document set available at http://www.usb.org/developers/ 
devclass_docs/USB_Video_Class_1_1zip). Initially released 
in 2003, the lastest version, 1.1, came out in June, 2005, and 
a UVC-compatible driver has been in OpenBSD since April, 


2008. As part of the 2008 Google Summer of Code (See http: 
//code.google.com/soc/2008/) project, Pat Mahoney, under 
the guidance of Jared McNeill, developed a NetBSD driver 
(See http://netbsd-soc.sourceforge.net/projects/uvc/ for more 
information) that is UVC-compatible. 

Not surprisingly, UVC support is available in Linux and 
has been built in since the 2.6.26 kernel. Video programming 
support has been available in Linux for a number of years in 
the form of a library known as video4Linux (v4l). That library 
has been updated and the standard video interface is now 
known as video4Linux2 (v4l2) (See http://wwwilinuxtv.org/ 
downloads/video4linux/API/V4L2_API/ for a copy of the API). 
Nearly all open source software that uses video uses one 


sa Camera Display - Mozilla Firefox 
File Edit Yiew History Bookmarks Took Help 
= @ @ 


SEMost Visited. Fp Aeledce Notes Sjredora Project. [Red Hat. Aree Content. 


ie) Reepyy192.168,1.240/ w | HG) | 


NetBS0 USE Camera Capture 


/ Music On Your Slug, With NetBSO 
alling Prelude IDS> 5 
ti-User Conferencing: - 
5 BSb; the peaceful operauny = 
) live cd's — an entry level occa. 


This 15 a test page for the webserver! 


Waiting for 192.168.1240... 


Figure 1. The Slug sends a picture of its favorite magazine to the browser 
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of these two APIs. The NetBSD driver 
is v4l2-compatible, so the NetBSD 
programming interface is the same as 
the Linux v4l2 API. 

I’m sure that when Pat Mahoney 
was developing the USB video driver, 
the furthest thought from his mind was 
whether that driver would also work with 
a 266 MHz Arm processor with 32 MB 
of memory. But it should. So, get out your 
favorite NetBSD-supported embedded 
processor and let's give it a try. 

What you'll need: 


A processor board with Ethernet and 
USB interfaces that is supported 
by NetBSD. I've used the Linksys 
NSLU2 and the Buffalo Kurobox 
Pro/Linkstation Pro. You can even 
use a desktop computer if you want, 
though what fun you'll find in that | 
couldnt say. The Linksys NSLU2 is 
used as the example in this article 
since it is better supported by 
NetBSD. 

A USB camera that is compatible 
with the UVC (USB Video Class) 
standard. For this article, | used 
a Logitech QuickCam Deluxe 
for Notebooks. If the camera 
documentation says Certified for 
Windows Vista, then it is UVC- 
compatible and will work with the 
NetBSD UVC driver. Just another 
of the many nice things that the 
Redmond crowd has done for the 
*nix world. (Note: Vista-compatible 
and Certified for Windows Vista are 
not the same thing.) 

A desktop computer with Linux or a 
version of BSD to use for building 
NetBSD, and to serve files to your 
embedded system. 


What you'll end up with: 


A program that can read images 
from the camera and store them on 
the embedded computer's disk. 

A simple webserver that can serve 
images from the camera to a 
browser. 

A program that can collect stop- 
action video from the camera. 


Get and Build 

the System Software 

The process of building and installing 
a NetBSD kernel on the NSLU2 has 
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Listing 1. Steps to acquire and build NetBSD for the NSLU2 


mkdir metbsd—20038I215 

expoke GVS Roh=" ssh. 

export CVSROOT="anoncvs@anoncvs.NetBSD.org:/cvsroot" 

eve checkout =D 20081 Z215-UlC sre 

mkdir npe 

cd npe 

(go to Intel website: http://www.intel.com/design/network/products/ 
npfamily/ixp400 current.htm, download the file IPL ixp400Npelibrary-2 3_ 
2,21 CO Enis salrecrory) 

unzip IPE tsp tOONpeli brary 23 (2521p 

ed ixp400 xscale sw/srce/npeD1/ 


echo “deine TX NEEDLE NPEIMACE INPER RTH > IxNpeMicrocode™ i 


Scno deine LX NPEDINNPEIMACE NEEC ETH" >> DxNvpeMierocode= fh 

cc ixNpeDlImageConverter.c -o foo 

a ECO 

Gp IxNpeMincrocode dak, ../-./../ ../ S&C/Sys/arch/anm/xscalle/ 

OG 27 on) 2) oe) SC) SYs/ abem/evbarn/ contr 

echo “ianelude "are evbarm Conk/Noku2" > Ns hU2.AEE 

echo | Waudior ae yuhub?. pore 2 conligquraeion, 7%) >> NowkU2 Adm 

Scho audte- “ae Uaudios ==>) Nsluz Al 

echo = Uvideo war waube >= NeLuZ An 

echo video~ Ger videcous?” 222 NohuUz Ani 

echo eenig nerosd—vid-npel—Z00812> “Cor on npell tyre nes = NokUZ yA 
echo s contig merbsd=vid-so0-200cl2t> rect on sd0a eype fis = NebuUZz Aik 


echo “eontig neécbsd-vid=sel—-200c12 ts rec onesdila Evype fre” >> NebuUZ Aik 

Ga ie) e ee e Sey, 

>/build.sh -O ../obj—-armeb —-T ../tools-armeb =m evbarm—-eb tools 

./build.sh -O ../obj-armeb —-T ../tools-armeb =D ../distrib-armeb =R ../rel— 
armeo =U =u —m eCvbarm—-eb diseriburaon 

;/build.sh =O ../obj-armeb -T :./tools-armeb =D ../distrib-armeb =R ../rel= 
armeb -U -u -m evbarm-eb -V \ 


> KERNEL SE IS=NSLUZ Ali release 


Listing 2. Obtaining and building the necessary packages 


mkdir ~/pkgsource 

cd ~/pkgsource 

fip fio://ftp.NetBSb.org/pub/pkgsrce, pkgs re—-200803,/ pkgsre—200803 tar.gz 
su 

(enter your root password) 

tar =xzt pkgsrce—-2Z00803. tar.gz —C /usr 

cd /usr/pkgsrc/www/bozohttpd 

make install clean 

cd ../../net/wget 

make install clean 

vi /etc/inetd.conf 

(change the two lines that start with “#http” to:) 

http stream tep nowait:600 httpd /usr/pkg/libexec/bozohttpd bozohttpd 
/var/www 

http stream tcp6 nowait:600 httpd /usr/pkg/libexec/bozohttpd bozohttpd 
/var/www 


(save the file) 


chmed /var/www 775 
exit 


(exit superuser mode) 
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been described many times, so I'll just 
hit the highlights here. If you need more 
information, see the articles in the NetBSD 
wiki (See http://wikiinetbsd.se/How_to_ 
install. NetBSD_on_the_Linksys_NSLU2_ 
(Slug)_without_a_serial_port%2C_using_ 
NFS_and_telnet) or previous issues of 
BSD Magazine (NetBSD on the NSLU2, 
Donald T. Hayford, BSD Magazine, Vol. 1, 
No. 1, 1/2008). Listing 1 shows all of the 
steps necessary to build the kernel for the 
NSLU2. If you want to try out video with a 
desktop machine, you won't need to 
change the kernel configuration file since 
the video driver is already included in the 
i386 Configuration. If you want to try this 
for the Kurobox Pro, refer to the 2/2009 
issue of BSD Magazine (Building NetBSD 
for Embedded Systems Using Cygwin, 
Donald T. Hayford, BSD Magazine, Vol 2, 
No. 2, 2/2009) for instructions on how to 
build a kernel for that device. If you want 
to use some other processor, check 
its configuration file to see if the video 
device driver has already been added. 
Obviously, you will need to adjust the 
steps in Listing 1 for the processor type 
and configuration file names that match 
your particular processor. 

Once you've built the kernel, you'll 
need to setup the root disk and boot your 
embedded computer. Instructions for the 
NSLU2 or Kurobox Pro can be found 


in the same references as for building 
the kernel. You'll also want to set up a 
non-root user that can su to root when 
necessary (i.e, is a member of the wheel 
group). 

Next, you'll need to get the packages 
source (For more information on using 
NetBSD packages, see The pkgsrc guide 
at htto://www.netbsd.org/docs/pkgsrc/). 
While you can cross-build packages, | 
think its easier just to do it on the Slug 
(albeit, a little slower). So, boot up your 
Slug and follow the steps in Listing 2 to 
get the package source, install it, and 
build the web server that we'll use to 
send video images to browser. There are 
several web servers that will run on small 
machines like the Slug; we'll use the 
Bozotic web server found at /usr/pkgsrc/ 
www/ bozohttpd. No, | don’t know what 
Bozotic means, either Though a goofy 
name, this tiny web server is surprisingly 
powerful. Also, build and install wget as 
shown at the end of Listing 2 to simplify 
retrieving some files later. 

lf you look into the available 
packages that can work with video, you'll 
find some nice ones, along with several, 
such as xawty, that also include a video 
web server. You can even build xawtv, if 
you want. But you'll run into problems if 
you try to run these packages on your 
embedded processor. The first is that 


Listing 3 Acquiring and Building the Video Capture Software 


mkair ~/video 


cd ~/video 


wget http://ftp.netbsd.org/pub/NetBSD/misc/jmcneill/magazine.tar.gz 


Gunzip Magazine. bar. oz 
tar “xvi Magazines car 
cd magazine 


cp index.html /var/www 


gee qrabvyideo.e jpeg mangle-e —o grabvideo 


gee, eimedavigrals.e pec mangle < [oo vimedayigral 


gee eimedvideocgrab-c jpeg mangle ce )—o Eimedvideograb 


Listing 4. Output from the grabvideo program 


=bash=2 725 
VLACO) LOMmltat, lim iro 
240 

S20 


height: 
width: 
bytes per line: 640 
TS See 
47504a4d 


image size: 
pixel format: 
enum field:1 


grabbed 5705 bytes 


./grabvideo /dev/videoO testimag.jpg 
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most of these packages expect to find 
an X windows server, and so won't run 
(unless, of course, you have an X server 
running on your embedded processor). 
Even those that run from the command 
line will complain about not finding a 
Suitable video driver. What's up, you 
ask? The problem, as far as | can tell, 
is that the USB video driver is available 
in -current (which is the kernel version 
we built), but not yet in the standard 
release. Until it is, these packages are 
looking for a pci-based video card or 
similar hardware, and don’t yet work with 
the video4Linux2 interface that the USB 
driver implements. But don’t worry, we'll 
build our own. 


Getting and Building 

the Video Capture Software 

To save you some typing (and typos), the 
simple programs used in this article to 
capture video were uploaded by Jared 
McNeill to the NetBSD fto server at 
http://ftp.netbsd.org/pub/NetBSD/misc/ 
jmcneill/magazine.targz. Listing 3 shows 
how to download and build the necessary 
files. Two of the files, jpeg mangle.c and 
.h, Gre adapted from files of the same 
name from Pat Mahoney's source code 
in the SourceForge CVS repository (The 
CVS repository can be found at hitp:// 
netbsd-soc.cvs.sourceforge.net/netbsd- 
soc/uvc/). The other c source files are 
adaptations of a simple video capture 
program from Jared. 

After building these three programs, 
run the program called grabvideo, as 
shown in Listing 4. This listing also 
shows the output that | got. The output 
lists some of the information available 
from your camera and is mostly self- 
explanatory. But notice the line that starts 
with pixel format and ends with four hex 
values. If the line you get looks the same, 
then the rest of the programs provided 
here will work for you as is; if not, you will 
have a little more work to do. So what 
does this all mean? 

The system interface to the video 
driver is captured in the file src/sys/sys/ 
videoio.h, @ portion of which is shown 
in Listing 5, while the relevant portions 
of the code from videograb.c are shown 
in Listing 6 After the video device is 
Opened, the driver is queried through 
the iocti call for the image format using 
the structure defined aS v412 format in 
Listing 5. As of this writing, there are thirty 


supported formats, ranging from simple 
RGB one-to-three byte arrays to more 
complicated YUV arrays or compressed 
video. The format is specified by a v412_ 
fourcc macro as shown at the bottom 
of Listing 5. Only a few of these are 
shown in Listing 5; refer to the header 
file and the v412 documentation for the 
complete list. My camera returns a 
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format of 0x47504a4a, which are the four 
ascii bytes c, p, 3, and ™, or in a mirror, 
mMgpG, representing Motion JPEG. This is 
essentially the standard compressed 
JPEG format except that the table used 
for the Huffman encoding is fixed and, 
thus, left out. Motion JPEG is not as good 
as many of the compression routines 
that use frame-to-frame predictions like 


MPEG-2 or -4. However, for surveillance 
cameras or other applications where 
there is a signficant time gap between 
frames, MJPG has the advantage that 
each frame can be reconstructed without 
any knowledge of previous frames. If your 
camera’s pixel format is MJPG (and many 
are), the software as written will work for 
you. If not, the software will report that it 


Listing 5. Portion of the NetBSD videoio.h header file 


J SNGEB SDs VigdeOlo.i, Vv 1.4 20007097 25 29-3440 
jmeneill Exp S$ */ 


<snip> 


SECUCE bel srOrmlausy 


Dake S27 1c width; 
Dualige S412 height; 
DULIMe 22 Vie pixelformat; 


enum v412 field field; 

palghes 1c bytesperline; 

Uae & 4 1c Si zeimage ; 
enum v4il2 ‘colorspace collorspace; 
Ine 3 2 e privy; 

be 

<snip> 

SErucE V4il2 tormat 4 


enum, v4il2 but type type; 


Uiaaorns 
struct v4l2 pix Format pax; 
struct v4l2 window win; 
Struct v4l2 vor format vii, 
ULEMEO Ec raw GatalZ00]; 
}) EDU; 


ae 
SNOLO 
/* Pixel formats */ 


#define V4L2 PIX FMT RGB332 vil2 Trounree ("R*, 


“Gee vB wae) 


#define V4L2 PIX FMT RGB555 Vil? TouURce (RR, 


"Gy Be 1) 


#define V4L2 PIX FMT RGB565 v4l2 fource('R", 


“Go Be ey Mp) 


#define V4L2 PIX FMT RGB555X vA? srounce (Rh, 


“Gey “Be NOM) 


#define V4L2 PIX FMT RGB565X v4l2 rource ('R*, 


“Gee Bee mR) 
<snip> 


Fdjcine W4h AE svi MIPEG 4A rouUnee ( Me dy ba 


VEY) 
F1ecine VA Eb svi PEGs 4 2a trounce ("ds bo, Ea, 


"Ge ) 


#define V4L2 PIX FMT DV vyal2 Trource("d", 


wns apse viol) 


#define V4L2_ PIX FMT MPEG v412 fourcc('M', 'P', 'E', 


"GY ) 


<Smipe 


Listing 6. Code Fragment from videograb.c 


<snip> 
int 


Main (Int, arge, char “argv | |’) 


f 
{ 


SeruCr V7 FORMaie amie, 
WIRES c “Oli: 

int, Lid, cid; 

Inte error; 

Salvaet 6 ic Were 

Selzeye tolen, swelen; 


Suvae ec ini is Oars ey 


tf (arge '= 3) 
usage); 


/* NOTREACHED */ 


tid —— open (argy| lp) OR DONLY); 

LE (aed 0) om 
Dperronr (“Open camera Lrauiled”™) ; 
return EXIT PATLURE, 

} 

ofd = open (argv|2], O WRONGLY |/O CREAT |O EXCL, 

0644); 

LE obdie< 0) 4 

Dereon (“open OuLpUL Laiiled”™),; 


return EXIT PAILURE, 


error = 1ocel(ird, Vino eG EMi, Sime) 
if (error) 4 
PeErOr (VI PLOC 1 FMily tan Ved); 
return EXIT PATLURE, 
} 
Peiner ("video formar iunkO (mn \energht: sd\n'", 
PME e nMier. oases Mea Ginc jig 
apace Ce" te wale lanes Gail tal ale ele ile, Ones Walid ie a) 
permcr(  ebytes per) Mame: “cd \in', fie. bik. paso 
tesperline) ; 


Peincti(” \cimage size. scan", imectme.pix.sazeiuma 


ge); 

Perncit eopuxel format: .04e\n ,. EME. BME. oases, om 
xe Rem melE) a 

Prine (” \ renum tela: .a\n'" >). tm ime. pix, telid) ; 
<Smilpr 
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couldnt figure out where the Huffman 
table belonged and leave without writing 
anything. In that case, you'll need to look 
up your image format and change the 
Supplied software to output that image 
format. Look around a bit with Google 
and I'm sure you'll find what you need 
without too much effort. 

Though Motion JPEG is essentially 
JPEG, most software that will work with 
JPEG files won't recognize the data if 
you simply write out the image received 
from the camera since they expect to 
find the Huffman table as part of the 
image data. The routines | borrowed 
from Pat Mahoney in jpeg mangler.c/ 
n figure out where the Huffman table 
should go and pass back a pointer 
to the default UVC-specified table, 
allowing us to write out a standard 
JPEG image that can be read by 


other image processing or display 
programs. Since all standard browsers 
display JPEG images, we can use that 
capability to provide a dynamic display 
of the video image. 

The very simple web page shown 
in Listing 7 index.html, sends two text 
lines and an image to the browser for 
display. In Listing 3, this file was put 
into the proper directory (/var/www) 
after we downloaded and_ untarred 
it The javascript embedded in the 
web page then waits for two seconds 
and requests a page reload from the 
web server. The web browser sends 
whatever image is stored in the file / 
var/www/test.jpg. lO make a dynamic 
display, then, we'll simply write the 
captured video image to a drive 
periodically, and the web browser will 
automatically send the latest image 


Listing 7 Simple javascript file that repetively fetches and displays a video image. 


‘DOCIVPE HIM PUBLIC "=/ /W3C7/DID HIML 450 Transl tionally /aN" 


<Imieian JL > 
<head> 


<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 


<title>Camera Display</title> 


<style type="text/css" id="mtmsheet"></style 


</head 


<body bgcolor = "#cedfea"> 


<h4 align="center">NetBSD USB Camera Capture</h4> 


Cele 


<IMG src="test.jpg" width=640 height=480 hspace=70 vspace=0 border=1 alt=" "> 


<div align="center"> 


<font face="Courier New, Courier,mono" size="4"><I>This is a test page for the webserver!</I></font><br> 


Sy aes 
ee: 


<script language="javascript"> 


Sculimeoun( window. location. meload (enue); 2000); 7 script 


</ lioelye 
oF eile 


Listing 8. Using the timedvideograb program to generate continuously updated still images for the web server 


-base-3.2S5 ln -s localtest.jpg /var/www/test.jpg 


-bashi=o 5 
video format info 

240 
30) 


height: 
width: 
bytes per line: 640 
153600 
47504a4d 


image size: 
pixel Tormatc: 
enum field:1 


sleep time: 2 


./timedvideograb /dev/videoO localtest.jpg 2 


every time the browser requests a 
reload. | used a soft link to connect 
the image saved by the software to the 
image file that the web server is looking 
for, as illustrated in Listing 8. Figure 1 
shows a captured image in a browser 
window. 

On the other hand, Motion JPEG 
is very similar to the QuickTime or AVI 
video formats. By periodically capturing 
frames and saving these directly to a file, 
you can generate a stop-action video 
using the virtually the same software. 
The only difference is that, instead of 
rewriting a single image multiple times, 
you concatenate the same images. The 
final piece of software, timedavigrab, 
does just that, using command line 
parameters to determine the time 
interval between frames and the number 
of total frames. 
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Conclusion 

The new NetBSD UVC video driver 
appears to work’ flawlessly = on 
embedded computers as well as on 
the larger and more capable desktop 
machines. The package system needs 
to catch up to the use of the v4l2 
API, but | Suspect that will happen as 
NetBSD moves closer to releasing 
version 5. Operated with a small 
embedded device like the NSLU2, a 
USB video camera can be used as a 
Surveillance camera or for capturing 
stop-action video of slowly changing 
objects. And since the NSLU2 is a 
relatively low-power device, setting 
up a battery-powered remote system 
should be straightforward. 

You'll note that the kernel we built also 
incorporated the USB audio device as 
well as the video device. That's because 
the Logitech camera | used has both 
audio and video capability. And though 
we didn’t use it here, you can use the / 
dev/audio device to capture audio as well. 
lf we only had a video output device, we 
could think about a small, self-contained 
video conferencing system...Amm. 
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Dru Lavigne 


hether youre new _ to 
FreeBSD or have’ been 
using it for some time, 
learning a new trick or two 
can save you time and increase your 
user experience. In this Tips & Tricks, 
we'll show you how to save time at the 
command line, create a trash directory 
in your shell, build FreeBSD ports 
without installing the ports tree, control 
SSH connections, visualize rc.conf, and 
create an easy-to-use environment for 
controlling your FreeBSD system. 


When You're Stuck at the Shell 
The default shell for the FreeBSD 
Superuser account iS tcsh. If you have 
a preference for bash, you can always 
pkg_add -r bash, but sometimes you 
are in an environment where you can't 
install additional software. No worries, 
the tcsh shell supports many nicities 
such as autocomplete (by pressing tab) 
and history (use n or your up arrow to 
review history and !number to select a 
numbered command). 

Note: You dont have to be the 
Superuser to use the tcsh shell. lf you're 
unsure what shell you are currently using, 
ask your shell: 


echo SO 
f/oiny feSsh 


If you get back a different shellname, 
type tcsh to enter the tcsn shell. Here 
'll change from the Bourne shell (sh) to 
Lesh. 


echo SO 
sh 


tcsh 
echo SO 
foiny eesh 


tcsh provides dozens of built-in hotkeys 
and allows you to create your own 


key mappings for commonly used 
commands. You can view the current key 
mappings with: 


bindkey | more 


Standard key bindings 


naan -> set-mark-command 
waa" -> beginning-of-line 
WARN -> backward-char 

maqcu -> ELY=-Sigincr 

The ~*~ means hold down the control 


key while you press the character that 
follows. Note that the standard key 
bindings are case insensitive, meaning 


If youre unsure what a binding does 
after reading its description, tyoe some 
text at the command line and see what 
happens when you try the key binding. 

You can create your own key bindings, 
which can be very useful for commonly 
repeated actions. While you can overwrite 
any current key binding, you may prefer 
to search for an undefined binding: 


bindkey | grep undefined 


Ci -> is undefined 
wr S00" -> is undefined 
HA S05" -> is undefined 


“a iS equivalent to *a; however, the “multi- You can then bind whatever command 


character bindings are case sensitive. 


Listing 1. Minimal Ports Tree Installed by porteasy 


IES 2 / Ulsia/ jojonsic sy 


(string) you wish as long as _ the 


,eCvis monere iNDE X= 7 Makefile UIDs 
www/ 

CHANGES INDEX=7 bzZ Mk/ UPDATING 

COP Riel KNOBS README converters/ 

CViS/ LEGAL Templates/ devel / 
GIDs MOVED iteredles// Mies C7 


cd /usr/ports/www 
Is 
CVS Makefile 
ed jynx—-currenc 


MmekeS slinsicallil elleain 


Listing 2. Configuring SSH for Is Only 


ssh localhost 


Enter passphrase for key '/home/dru 


lynx-current/ 


/.ssh/id rsa': mypassphrasehere 


PTY allocation request failed on channel 0 


Desktop 
DoOCcunenirs 
Images 
Music 
Videos 
filel 

file2 


Connection to localhost closed. 
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command is enclosed in quotes. Be sure 
to test your binding after creating it: 
bindkey -s ““G” “csup -L2 /root/cvs- 


supfile” 


In this example, I've bound control g to 
the command | use to check for system 
updates. Now, whenever | press control 
g I'll see: 


csup -L2 /root/cvs-supfile 


If | don’t want to have to press enter after 
| see the command to start it, | should 
change the binding to create the newline 
(press enter) for me: 

bindkey -s ““G” *“csup -L2 /root/cvs- 


supfile\n” 
Now when | press control! g: 


csup -L2 /root/cvs-supfile 
Parsing supfile "/root/cvs-supfile" 
Connecting to freebsd.nycbug.org 


Connected to 66.111.2.68.... 


Command Line Trash Directory 

If youre used to working in a GUI 
environment, you may find the ability to 
periodically restore files from a trash bin 
quite useful. If so, you've probably noticed 
that at the command line, once a file it is 
deleted, it is gone forever. If you've ever been 
bitten by this, consider creating a simple 
script. First, ca into your home directory 
and create two directories: one to hold your 
script (bin) and the other to act as a hidden 
trash (.trash) directory to store deleted files: 


cd 

mkdir bin .trash 

Next, create a script called trash and 
save it in your newly created bin directory. 
This command shows the contents of 
that file: 


more ~/bin/trash 

#!/bin/sh 

#script to send deleted files to hidden 
trash directory 


mv $1 ~/.trash/ 


Dont forget to make the script 
executable: 
chmod +x ~/bin/trash 


Next, create an alias to replace the rm 
command with the trash script by adding 
this line to ~/.cshrc: 


alias rm trash 


Finally, test that it works: 
source ~/.cshre 

echo “some garbage text” > testfile 
rm testfile 


ls ~/.trash 
testfile 


If you ever really do want to delete a file 
without sending it to the trash directory, 
you can override your alias like this: 


\rm filename 


= ' 


File Edit View ‘Sscrollback Eookmarks 


SEnter the Knobs editor 


es 
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Keep in mind that your trash directory 
will only work while you're in the shell 
and it wont be available to you if the 
configuration file for your shell does 
not contain the alias. You may wish to 
create a trash directory and rm alias for 
both your regular user account and the 
superuser account. 


Building a Port Without 

Installing the Ports Tree 

If you have a slow Internet connection 
or limited disk space, it can be a pain 
to download and maintain the entire 
ports tree. The current tarball of the ports 
tree is over 42MB, and once unzipped it 
can take up a few hundred MBs of disk 
space. If you only build a few ports, it 
makes sense to just download the part 


settings Help 


B[ Change] ie Bac 


Figure 2. Knobs Editor in thefish 
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of the ports tree that you need to build 
the ports you need. This can be easily 
down with the porteasy Utility. 

To use this utility, become the 
Superuser and install the porteasy 
package and create an empty ports 
directory: 


pko add =r porveasy 
rehash 


mkdir /usr/ports 


porteasy uses anonymous cvs, SO you 
need to prepare your environment first: 


touch ~/.cvspass 
setenv CVSROOT :pserver:anoncvs@anonc 


vs.tw.FreeBSD.org/home/ncvs 


Now, whenever you want to download 
(update) the ports skeleton for an 
application, specify the name of the port 
you wish to build. In this example, | want to 
download the skeleton for the 1ynx port 


porteasy -u lynx 


The first time you run porteasy, it will 
download the ports INDEX as well as all 
the tools, templates, and Mk files that the 
ports system needs. If your output ends 
in ad message similar to this: 

Can't find required port ‘lynx, maybe 
you mean: 


Iynix=2 84625) Syd 
Lyne 2 aes OLS 


some required ports were not found. 


File Edit View ‘Scrollback Kookmarks 


It means that there are multiple 
versions of the application you requested 
and that you need to specify which 
version you want: 


porveasy =u. lyrnx=2.8./013 


You can get the version information 
ahead of time by asking for the list: 


porteasy -l lynx 


Once the update command succsesstfully 
finishes, you can cd into the ports 
directory of the application and build the 
port as usual: see Listing 1. 


Controlling SSH 
FreeBSD comes with an SSH server 
which has been pre-configured with 
some security options. For example, by 
default, SSH logins by the superuser 
account are refused. You can further 
tighten up who is allowed to SSH to your 
system by modifying the SSH server 
configuration file, /etc/ssh/sshd_config. 
For example, to only allow logins from 
the user “dru”, add this line to the bottom 
of the file: 


AllowUsers dru 


Note that the ailowusers keyword is 
case-sensitive, meaning it won't work if 
the a and the vu are lowercase. You can 
add multiple user accounts by placing a 
space between each user. Don't forget to 
tell your SSH server that you have made 
changes to this file: 


settings Help 


Strings Menu 


Select a String you wish to edit 


Llscreens_flags ae 
a Screens_ko df I ag5 nu 
_md_flags 
io A Hap _BPE Oy ee 
_fid_progras 
ped flags 
a B_arps 
TE_pves 
poditd fil ags 
ditd program 
"Bo" 
"366" 
ou 


- ackground_fsck_deLlay 
-Lanktine 
ootparamd flags 

- Sdextended_script 


[iadit Entry] 


-snmpd_flags 


Figure 3. Strings Editor in thefish 


"-a amd mnt 
"HO" 
"fusr/sbin/amd" 


-L syslog fhost /etc/amd.m 


"fusry/sbin/auditd" 


"fetcfre, bsdextended" 


Back to Main 
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fete/rc.d/sshd restart 


You should also test that your changes 
worked by trying to login as the specified 
user (which should work) and as several 
un-specified usernames (which should 
fail). man sshd config contains many 
more keywords which can be used to 
control behaviour such as which IPs are 
allowed to connect and how users can 
authenticate once they connect. 

lf your users are using public key 
authentication, you can configure your 
SSH server to allow them to connect in 
order to run a command. For example, 
the superuser can configure a user to 
connect in order to see a listing of the files 
in their home directory, but to not receive a 
network terminal (pty) where they can run 
additional commands. This configuration 
requires you to su to that username and 
modify the authorized keys file in that 
users home directory on the SSH server 
by inserting this text at the very beginning 
Of ~username/.ssh/authorized keys, right 
before the ssh-rsa Of ssh-dsa keyword: 


command="1s",no-pty 


Be sure to have that user test that ssh 
works as expected: see Listing 2. 

If the user instead receives a shell, 
doublecheck that your inserted text is 
not on its own line and is just before the 
key itself. 

The Authorized_Keys File Format 
section of man ssha Contains many more 
ideas for controlling how users connect 
to your SSH server and what they can do 
once they get there. 


Visual rc Settings 
One of the beauties of FreeBSD is that 
one text file, /etc/rc.conf, controls which 
services start at system boot. This file is 
easy to edit and man rc. conf does a great 
job of letting you know what services and 
options are available for this file. 

But, sometimes it is nice to have 
a more visual representation of the 
possible services to run at system 
Startup. A utility Known dS thefish provides 
an easy-to-use menu-based program for 
controlling services. It is easy to install 
and use (Figure 1): 


pkg_add -r thefish 
rehash 


thefish 


By pressing enter with the Knobs entry 
highlighted, you can see which services 
are available and which will automatically 
Start at boot time: see Figure 2. 

You can also insert options (as 
described in man xrc.cont) using the 
Strings editor: see Figure 3. 

Note: If you run thefish from a GUI, 
you may instead see the GIK/QT version 
which offers the same functionality with 
a slightly different look and which allows 
you to select options with your mouse. 


Controlling your 

System with Webmin 

've been a big fan of Webmin (http: 
//webmin.com/) for years and continue 
to be amazed as every version adds yet 
more functionality and improvements. 
While designed for remote administration 
of server systems, it is so handy that even 
novice users should consider using it to 
manage their own desktops. 

Note: The system you wish to control 
Should have webmin installed. You can 
then access that system from any 
system containing a web browser. 

You can install and configure webmin 
as follows: 


pkg_add -r webmin 
/usr/local/lib/webmin/setup.sh 


During the setup.sh script, you can press 
enter to accept the default path locations. 
It is a good idea to enter a different port 
number, login name, password, and 
to choose y for SSL when prompted. 


@ - Webmin 1450 on pcbsd (FreeBSD 7.0 - Mozilla Firefox <2> 
file Edit View History Bookmarks Jools Help 


Once the script is finished, open a web 
browser and type localhost:portnumber, 
where portnumber is the port number 
you chose during setup.sh. 

Note: Webmin uses a _ self-signed 
certificate for SSL connections. If your 
browser complains, follow its instructions 
to add an exception to accept the 
certificate. Also, if for some reason 
webmin did not start, you can start it with 
/usr/local/etc/rc.d/webmin onestart. 

Once you've logged in, you'll quickly 
find that webmin allows you to control 
most aspects of your system: see Figure 
4. 

You'll definitely want to first spend 
some time in Webmin Configuration 
under Webmin. Here you can control 
which IP addresses and users are 
allowed to connect to your webmin 
server and the type of authentication to 
use when connecting to webmin. You 
can also install additional modules and 
upgrade your version of webmin. 

The System section allows you to 
easily: 

control which services start at 
bootup 
change user passwords 
manage disk quotas 
mount filesystems 
backup and restore directories 
install, configure, and use LDAP 
view and control running processes 
schedule commands and cron jobs 
manage packages 
read and search manpages 


e @ - ay x ] 2 https:/Aocalhost:12345/ hd 2rif 


Backup Configuration Files 
Change Language and 
Theme 

Webmin Actions Log 
Webmin Configuration 
Webmin Servers index 
Webmin Users 


Module Config 


Backup now = Scheduled backups 


Modules to 


Apache Webserver 
backup 


BIND ONS Server 


Backup Configuration Files 


Restore now 


Backup configuration now 
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manage and read logs 
manage users and groups 


If you’re running any services on your 
system, youll quickly become addicted 
to the Servers section and the other 
sections that follow. Here you can control 
services such as: 


BIND DNS 

CVS 

Sendmail, Qmail and Postfix 
SSH 

Apache 

IPFW and IPFilter 

NFS 

Printers 

Bacula 

MySQL and PostgreSQL 
Samba 

SpamAssassin 

FTP 

Squid 


Summary 

| hope that you enjoyed these Tips & 
Tricks and have found something to try on 
your FreeBSD system. You can find many 
more tips and tricks for BSD systems in 
the books BSD Hacks, published through 
OReilly, and The Best of FreeBSD Basics, 
published by ReedMedia. 
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Maintaining System 
Configuration Files Using 
Subversion 


Mikel King 


ecently | was asked about 
maintaining a data center full of 
servers. More specifically about 
maintaining a repository of the 
configuration files for all servers in the data 
center As our data centers and systems 
in general become more sophisticated 
managing the complex array of all the 
configuration data in and of itself is nearly 
as important as the user data stored in. 

Anyone who's ever lost a server as a 
result of some catastrophic failure, be it 
failed equipment or some other nefarious 
means, knows it is not easy to rebuild a 
system to its pre-failure state. Lets face it 
even the best backups can yield less than 
accurate results should the archive media 
becomes faulty. As a layer of redundancy 
| like the idea of a_ configuration 
management solution. Of course disaster 
preparedness is not the only reason one 
might consider implementing a some sort 
of configuration management solution. 

lf you have a large installation of 
equipment it becomes _ increasingly 
difficult to keep track of the numerous 
system updates and configuration files. 
Especially if you are in an environment 
with inconsistent technical staff as result 
high employee turn over for instance. 

Several years ago during a large 
coding project | was _ introduced to 
Subversion, and although | had been 
familiar wit other versioning solutions for 
whatever reason svn stuck. Initially we 
started with just the code base, however 
the more we used it the more we put into 
the repository. | ended up dropping alll 
of the documentation, apache, php and 
mysql configuration files into it. 

Shortly after completing the beta 
testing we had to replicate the entire 
server installation into numerous front 
end production web servers. It was then 
that it hit me that if we had the svn client 
on each server all we would have to do 


is run a checkout to have 90% of the 
configuration completed. 

This certainly helped expedite 
server rollouts. Of course it did add an 
additional step in the pre-deployment 
built out. In addition to installing php, 
apache, and mysql we would now have 
to install svn. Although this is not a huge 
task it does add a layer of complexity to 
the overall schema. One could use a svn 
repository to manage the build options 
for your system to ensure that you are 
creating nearly identical deployments. 

As you can see this can snowball 
rather quickly and it’s a delicate balancing 
act determining where to draw the line. | my 
data center | have opted for maintaining a 
repository Of /etc ANd /usr/local/etc Of 
each system for each server. 

To keep things simple | shall assume 
that you have a working repository server. 
While there are several different ways to 
organize this repository, | have found that 
the best is to start with a group of like 
servers based on function. For instance 
lets start with the named servers. Of 
course | am assuming that each server 
only performs a single function. If you are a 
jails jockey then this is likely to be the case, 
however if you are constrained by space, 
power and hardware it is more likely that 
each machine fills at least two billets. 

Still for the sake of simplicity let's 
roll with the assumption that you only 
have one service per server. In addition 
we shall limit out discussion to a single 
division, aS some. organizations will 
have multiple divisions as well as being 
dispersed across multiple locations. 
Again for the sake so simplicity let's 
assume that you only have the one. 

Very well with the basic assumptions 
in place we need to construct our server 
repository. After confirming that! am able to 
access the svn server | begin with adding 
the server to the ‘Servers’ repository. From 
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the prompt on the server named thoth, | 
would run the following command; 
thoth: svn mkdir svn:// 


svn.olivent.com/Servers/THOTH 


Notice that | placed the server name in 
all capital letters. This is a habit | picked 
up from customizing kernels in FreeBSD 
where one would copy GENERIC to the 
host name in all caps. You are certainly 
free to setup your system as suits your 
personal style best. 

The next step is to start importing 
etc and /usr/local/etc into the system. 
The easiest way to accomplish this is to 
execute the following in root; 

thoth: svn mkdir svn:// 
svn.olivent.com/Servers/THOTH/etc 

ThoThs co: -~ete 
Lhoch: 


sudo svn import svn:// 


svn.olivent.com/Servers/THOTH/etc 


Although the import command should 
recursively create the target for you at 
the destination | have found it is better 
to explicitly create it yourself. The import 
command assumes that your current 
working directory is the one you wish to 
import. If the command is successful then 
you will see numerous files listed ending 


Listing 1. Single user mode rebooting 
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svn Oolivent.com/ Servers, THOTMH/eke 


*xxx*x*Reboot to single user 
mode* **xx** 

ieguenelate weol 
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with committed revision xx. Where XX is 
the actually of the revision number. 
Using the same methodology let's 
add /usr/local/etc into the repository. 
Thoth: svn mkdir svn:// 
svn.olivent.com/Servers/THOTH/usr 
thoth: svn mkdir svn:// 
svn.olivent.com/Servers/THOTH/usr/local 
thoth: svn mkdir svn:// 
svn.olivent.com/Servers/THOTH/usr/ 
local/etec 
thoth: cd /usr/local/etc 
thoths svi Import svni// 
svn.olivent.com/Servers/THOTH/usr/ 


leocal/ete 


Observer that once again | explicitly 
created and specified the destination. 
Because import will assume the you 
wish to import everything in the present 
working directory | change the path to 
Jusr/  local/etc to ensure that | do 
not collect and collateral files. you can 
imagine what would happen if | imported 
all of usr Ok so now we have all of our 
current configuration files imported into 
the repository, but that really only helps us 
half way. One of the main advantages of 
using a versioning system like subversion 
is to improve the ability to capture 
changes to system configuration files as 
well as document why those changes are 
being made. Therefore in order to make 
use of this we need to checkout and place 
into service our versioned copies of these 
files. This actually can get a bit tricky 
thoth: cd /usr/local/ 
thoth: mv etc old-etc 
thoth: svn checkout svn:// 
svn.olivent.com/Servers/THOTH/usr/ 


local /etec 


At this point | have accomplished storing 
both /etc and /usr/local/etc in the 
repository for the machine known as 
THOTH. In addition | have successfully 
checked out the current repository 
version Of /usr/local/ etc. Depending 
on your system and its activity you 
may prefer to perform the checkout to 
a temp folder and drop down to single 
user mode. If its a new system you can 
probably expedite things by not. Also 
keep in mind that on some systems 
namely Mac OS X /etc is a symbolic link 
tO /private/etc which can make things 
rather touchy if you do not proceed with 


caution. Be certain to take the time to 
make note of your systems’ peculiarities. 

Continuing with — the original 
assumption that we are experimenting 
on a FreeBSD based execute the 
two command blocks outline below. 
Considering that your system should 
currently be in multi user mode you should 
be able to safely checkout the repository 
to a temp location. I'm using tce which of 
course is just etc backwards. Next reboot 
to single user mode, remembering to 
mount -w / before you do or youll spin 
your wheels for nothing then execute the 
later command block (see Listing 1). 

lf all went as planned then you are now 
running on your versioned system all that 
remains to do is boot back up to multi user 
mode. Once safely back into multi user 
mode let's try a few things. Suppose that 
you assign one of your BSDAs to install 
a new port that requires modifications to 
your rc.conf as well as its new configuration 
directory in /usr/local/etc and a new 
Startup script in /usr/local/etc/ rc.d. 

Your Jr sysadmin successfully builds 
the port and installs the new application 
and even performs the the appropriate 
check-ins to the repository complete with 
commentary documentation as follows; 

thoth: cd /etc 
thoth: svn commit 
The above should only transmit rc.conf 
if you added the new app enable="YES” 
statement as required. Next you will want 
to add the new configuration to you /usr/ 
local/etc section of the repository. 

thoth: cd /use/local/etc 
thoth: svn add new_app 


thoth: svn add rc.d/new_ app.sh 


Choth?: svn. commit 
Alright | know that this seems like a lot 
more work but consider what happens a 
few weeks later when your Jr sysadmin 
reboots the sever for some_ other 
maintenance and it hangs, dropping to 
single user mode. Of course it does not 
take a versioning system to locate the 
missing quote ON named enable="YES” 
but it's nice to be able to review the logs 
and determine who was the last person 
to modify the rc.conf and why. 

Obviously there | have demonstrated 
a rather time consuming manual process 
for all of this and it is quite possible to 
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script much of the check-in and update 
process once you are up and running. 
Additionally after reading this _ brief 
introduction to versioning you may be 
wondering why? Why oh why would | 
even submit myself to all that effect and 
action tracking. | do have a good answer 
for you, concise documentation. 

Consider that the server you just 
added to versioning is not really touched 
by you for several years. Your Jr sysadmin 
faithfully maintains the system checking in 
all of his changes over the years and one 
day, he leaves the company for a change of 
career. Now what do you do? How do you 
know all of the systems that this person 
maintained? You could start logging in 
and cataloging this manually, but perhaps 
is you have a reliable versioning solution in 
place you could simply run a report on his 
activity over the last few months. 

Another fine example is you have to 
perform a site audit of all you systems. 
Perhaps you've wanted to build a network 
topology diagram for years but of course 
you just haven't had the resources 
necessary to catalog hundreds of servers. 
Suddenly the university you work for 
has received a small grant to introduce 
Some GREEN initiatives and you sell them 
on the idea that server consolidation 
could potentially reduce their power 
consumption by a sizable amount if only 
you had the resources namely personnel 
to complete the task in a timely fashion. 

Utilizing your new team of student 
helpers you task them with the job of 
cataloging all of the servers. However do 
you really want to grant them direct access 
to everything? Perhaps if one were to use a 
subversion configuration file management 
system they could grant temporary read 
only access to the repository. Ultimately 
allowing this temporary support staff to 
complete the task in a safe environment. 
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Q&A about 


Dirace 


Could you introduce yourself? 

John Birrell: | am an electrical engineer 
by training, but a software developer in 
practice. I’ve been contributing to FreeBSD 
as a developer for over 10 years. | now 
work for Juniper Networks in the JUNOS- 
Core group in Sunnyvale, CA. 

George Neville-Neil: | work = on 
networking and operating system code 
for fun and profit. | also teach various 
course on subjects related to computer 
programming. My professional areas of 
interest include code spelunking, operating 
systems, networking and security. 

| am the co-author with Marshall 
Kirk McKusick of "The Design and 
Implementaion of the FreeBSD operating 
system” and | am the columnist behind 
ACM Queue’s ’Kode Vicious”. 


What is DTrace? 

John Birrell: DIrace is a dynamic tracing 
system developed by Sun Microsystems 
for their Solaris operating system. 
The Dfrace code was the first part of 
Solaris to be open-sourced under Sun’s 
Common Development and Distribution 
License (CDDL). 

The beauty of Dlrace is that it really 
is dynamic. You can install probes on the 
fly, look at the output for a while and then 
remove the probes without restarting any 
program. 


What is your role in porting DTrace to 
FreeBSD? 

John Birrell: Like all things in FreeBSD, 
the DlIrace port happened because 
| got intrigued after attending a 
Sun Microsystems Developer Days 
conference which they hold frequently 
around the world. 

After the conference | was so keen to 
try Dirace that | tried to install Solaris on 
my latest PC, but it didn’t recognise the 
hardware so | got nowhere. 


Instead | decided to port the code! 
So, armed with an 86 MB download of 
Opensolaris source | set out to find out 
how Dtrace was coded in Solaris. 

| got some help from Sun’s Bryan 
Canitrill who was generous and gave me 
access to the Dlrace test suite before 
Sun had officially open sourced it. 


Is the porting process totally complete? 

Is there anything that our readers might 
help you with? 

George Neville-Neil: There are _ still 
providers to be worked on, such as 
the PID provider, which is probably the 
largest remaining piece to add. 


Which platforms are supported at the 
moment? 

George Neville-Neil: Intel/AMD x86 32 
and 64 bit definitely work. | use DIrace on 
those every day. 


The recent release 7.1 includes support 
for using DTrace inside the kernel. 

How can we take advantage of it? Do 

you expect to use DTrace to profile 
FreeBSD's kernel for example? 

John Birrell: | use DlIrace daily. | am 
working on a build system that uses 
DIrace to work out the dependencies. 

Dirace is a great tool for profiling 
kernel operation because you don’t have 
to build anything in permanently. The 
concept of adding printf in kernel code 
is gone now. To make use of Dlrace, you 
really need to have access to the source 
code. 

That is why DlIrace actually makes 
more sense in FreeBSD than it does in 
solaris. Our code iS always available. 

Using DTrace is an iterative process. 
Think of a question and try to probe to 
test out your theory. Then when you see 
some results, revise your question to 
enable different probes. 
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Where can we find practical examples of 
how DTrace work? 
George Neville-Neil: The best resource is 
the the Sun manual. The first chapter has 
examples that work with the FreeBSD 
version of DTrace. 
http://docs.sun.com/app/docs/doc/ 
817-6223 


Can we use DTrace to check how our 
code Is exploiting concurrency? 

George Neville-Neil: There are ways to 
get DIrace to show you what CPU is 
being used by a piece of code but this is 
the kind of thing I'd think you'd use other 
subsystems for, such as hwpmc(4). 


Can DTrace help sysadmins do their 

job, or it is a tool more focused on 
programmers? 

John Birrell: There are things that 
sysadmins can certainly benefit from. As 
an example, imagine you have a suspect 
user You might want to probe what 
applications the user is running. Or you 
might want to trace what sockets he/she 
creates to make outgoing connections. 

How many times as a sysadmin have 
you asked youself the question: What on 
earth is this system doing? 

Having DIrace on a system makes 
it easier to Support from outside. Even 
though a sysadmin may not understand 
all the kernel code, the fact that Dirace is 
there allows an external support person 
to provide the sysadmin a script that can 
be run by the sysadmin. Before passing 
on the result for analysis, the sysadmin 
can check the log to ensure that there is 
no private data there. 

The trick with DIrace is to enable 
probes which give you a brief Summary 
of exactly what you want to know about 
instead of dumping everything and 
forcing you to parse it later. 
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NEW CERTIFICATION EXAM 


The BSD Certification Group proudly announces 
the availability of the BSD Associate Exam (BSDA), 
the entry level exam for BSD System Administrators. 


The BSD Associate Exam is a written proctored certification exam in English 
only. The BSDCG has worked hard to make this psychometrically valid exam 
affordable worldwide. See the list of selected conferences and register for an 


exam seat for $75 USD at WWW.bsdcertification.org. 


Get Involved. 
Get Certified. 
Get Ahead. 


www.iXsystems.com 


iXsystems is a proud sponsor 
| e of BSD Certification Group Inc. 


NeBsD NetBSD @ FreeBSD F2.» Open BSD _ .¢¢2. DragonFlyBSD 
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Use of the above names, trademarks, logos, and artwork does not imply endorsement of this certification program by their respective owners. BSD Certification Group Inc. 
logo designed by F JZone.org. Logo Copyright 2006. BSDA logo copyright 2008, by the BSD Certification Group Inc. 
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iX-N1204 


* 1U Form Factor 


with 4 Hot 
Swap SAS/SATA 3.5” Drive Bays 


Dual Intel® 64-Bit Socket 1366 
Quad-Core or Dual-Core, 5500 
(Tylersburg/Nehalem) Series 
Processors 


Intel® 5520 Chipset with®™ 


QuickPath Interconnect (QP1) 


Up to 96GB DDR3 1333/1066/800 
SDRAM ECC Registered Memory 
(12 DIMM Slots) 


2 PCI-E 2.0 x8 or 1 PCI-E x16. 


Expansion Slots 


Intel® 82576 Dual Port Gigabit 
Ethernet Controller 


Matrox G200eW Graphics 
Remote Management-IPMI 2.0 


+ IP-KVM with dedicated LAN 
* 


Slim DVD 


650W Redundant 80%+High 
Efficiency Power Supply 


* 


nN Veutron = A STAR AMONG SERVERS 


* 


* In striving to bring our customers faster, more reliable 


servers, iXsystems, Inc. introduces the new iX-Neutron 


server line. The iX-Neutron server series brings Intel’s® 


newest chip technologies to your business to provide 
an astronomically fast family of machines. The Intel® 
5500 Tylersburg Xeon® processor utilizes these 


technologies to greatly increase speed, performance, 


and memory capacity, while saving energy simultaneously. 
The processor performance scales dynamically based 
on the requests and demands of the system. Visit us at 
http://www.iXsystems.com/neutron for more information 


and pricing. 


iX-N2280 


. 


2U Form Factor with 8 Hot 
Swap SAS/SATA 3.5” Drive Bays 


Dual intel® 64-Bit Socket 1366 
Quad-Core or Dual-Core, 5500 
(Tylersburg/Nehalem) Series 
Processors 


DualiIntel® 5520 chipsets with 


QuickPath Interconnect (QPI) 


Up to 144GB DDR3 1333/1066/800 
SDRAM ECC Registered Memory 
(18 DIMM Slots) 

2 PCI-E 2.0 x16, 4 PCI-E x8, 
(1 in x16 slot) and 1 PCI-E x4 
Expansion Slots 

Intel® 82576 Dual Port Gigabit 
Ethernet Controller | 


Matrox G200eW Graphics 


Remote Management-IPMI 2.0 
+ IP-KVM with dedicated LAN 


Slim DVD 
7OOW Redundant 90%+High 
Efficiency Power Supply 


http://www.iXsystems.com 


iX-N3216 


3U Form Factor with 16 Hot 
Swap SAS/SATA 3.5” Drive Bays 


Dualintel® 64-Bit Socket 1366 
Quad-Core or Dual-Core, 5500 
(Tylersburg/Nehalem) Series 
Processors 


Dualintel® 5520 chipsets with 
QuickPath Interconnect (QPI) 


Up to 144GB DDR3 1333/1066/800 
SDRAM ECC Registered Memory 
(18 DIMM Slots) 


2 PCI-E 2.0 x16, 4 PCI-E x8, 
(1 in x16 slot) and 1 PCI-E x4 
Expansion Slots 


Intel® 82576 Dual Port Gigabit 
Ethernet Controller | 


Matrox G200eW Graphics 


Remote Management-IPMI2.0 
+ IP-KVM with dedicated LAN 


Slim DVD 


800W Redundant 80%+High 
Efficiency Power Supply 


* 
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